Re: kerberos ldap/host.my.domain

[Dan White <dwhite@olp.net>]

On 28/06/11 16:05 -0300, Friedrich Locke wrote:
> Hi folks,
>
> i have just installed openldap and i am facing a situation i would
> like to share with you.
>
> In OpenBSD (the OS i am using) i have the keytab file inside
> /etc/kerberosV. Its access mode is 600, its ownership is root:wheel.
> But OpenBSD specifies a user and group the slapd daemon should run as;
> the user is "u" and group "g".
> In order to get SASL/GSSAPI working i need to add to the keytab the
> principal ldap/host.my.domain. I did it; now the keytab has the
> principals host/x.y.z and ldap/x.y.z
>
> But since slapd runs as another user it is prevented from accessing
> the keytab file.
> So i thought the following possible solutions:
>
> 0) Run slapd as root
> 1) change the permission of the keytab
>
> Any of those options above makes security less secure.
> I known there should be some more approaches, but i cannot think it right now.

If your GSSAPI mechanism is compiled against heimdal, you should be able to
specify an alternate location for your keytab file. Create/edit
/usr/lib/sasl2/slapd.conf (or the location specified by --with-configdir at
sasl compile time), and customize the location with:

keytab: /etc/kerberosV-ldap

with read permissions for your slapd user.

Another option is to create a new system group (e.g. 'keytab'), and set
ownership of /etc/kerberosV to 'root:keytab', with read permissions for
keytab, and add your slapd user (and other necessary members) to that
group. Write permissions should not be necessary.

--
Dan White