[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: seperate keytab files



On Monday, April 4, 2005, at 09:02 AM, Gaurav Sharma wrote:
Is there a way to run MIT kerberos v5 1.3.x and openldap 2.2.x using
cyrus-sasl without setting KRB5_KTNAME environment variable?

The reason I want to do this is because I have other kerberized
applications running whose authentication fails if I set
KRB5_KTNAME=/xxx/ldap.keytab (which contains the LDAP service
principle), for GSSAPI auth. I don't want ldap to have access to the
/etc/krb5.keytab file.

I don't know how you're setting KRB5_KTNAME in this case, but if it's set in slapd's environment only, it will apply only to slapd (and anything invoked by slapd, which doesn't seem like it should be a problem.)

You can do this in the startup script, e.g.,
   KRB5_KTNAME=/xxx/ldap.keytab
   export KRB5_KTNAME
   slapd -h ldap://$hostname

or more succinctly, and more obviously limited to the
slapd process only,

   KRB5_KTNAME=/xxx/ldap.keytab slapd -h ldap://$hostname

	Donn Cave, donn@u.washington.edu