[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: kerberos ldap/host.my.domain

To: openldap-technical@openldap.org
Subject: Re: kerberos ldap/host.my.domain
From: Dieter Kluenter <dieter@dkluenter.de>
Date: Wed, 29 Jun 2011 09:43:54 +0200
In-reply-to: <BANLkTim+uhv3ELYrAF0Nh1Tcbuc4OQ_-MQ@mail.gmail.com>
Organization: AVCI
References: <BANLkTim+uhv3ELYrAF0Nh1Tcbuc4OQ_-MQ@mail.gmail.com>

Am Tue, 28 Jun 2011 16:05:06 -0300
schrieb Friedrich Locke <friedrich.locke@gmail.com>:

> Hi folks,
> 
> i have just installed openldap and i am facing a situation i would
> like to share with you.
> 
> In OpenBSD (the OS i am using) i have the keytab file inside
> /etc/kerberosV. Its access mode is 600, its ownership is root:wheel.
> But OpenBSD specifies a user and group the slapd daemon should run as;
> the user is "u" and group "g".
> In order to get SASL/GSSAPI working i need to add to the keytab the
> principal ldap/host.my.domain. I did it; now the keytab has the
> principals host/x.y.z and ldap/x.y.z
> 
> But since slapd runs as another user it is prevented from accessing
> the keytab file.
> So i thought the following possible solutions:
> 
> 0) Run slapd as root
> 1) change the permission of the keytab
> 
> Any of those options above makes security less secure.
> I known there should be some more approaches, but i cannot think it
> right now.
> 
> How did you handle that?

Create a ldap keytab and set apropriate permissions.

-Dieter

-- 
Dieter KlÃnter | Systemberatung
sip: 7770535@sipgate.de 
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6

References:
- kerberos ldap/host.my.domain
  - From: Friedrich Locke <friedrich.locke@gmail.com>

Prev by Date: Re: access
Next by Date: chaining through proxy and slave
Index(es):
- Chronological
- Thread