Re: Openldap, kerberos backend, and SASL

[Da Rock <rock_on_the_web@comcen.com.au>]

On Thu, 2009-03-05 at 02:43 +0100, Michael Ströder wrote:
> Da Rock wrote:
> > I'm not sure you quite understand what I mean here-
> 
> I think I do. ;-)
> 
> There's no reason why you shouldn't be able to do the following:
> 
> LDAP Client
>   --ldap:// with SASL/GSSAPI--> slapd
>      --KRB5--> heimdal KDC
>         --ldapi:// with SASL/EXTERNAL--> slapd
> 
> In fact the picture is a bit more complicated but I'm too tired to draw
> the real one. Hope you get the idea.

Actually thats very well presented- at least I get what your saying.

A hiccup here is that I mean that there is no ldap client- yet. I'm
talking about at startup, slapd looks to authenticate with kerberos as a
service, and kerberos is using ldap as the backend store and needs to
authenticate to do so, which kerberos can't do as ldap hasn't
authenticated yet as a service.

I can see several options/problems:

1. this would/should only be a problem on the initial startup and again
IF the system goes down longer than the ticket lifetime.

2. The initial startup shouldn't be a problem as the password could be
changed to SASL/GSSAPI once the system is up and running.

IF rootdn particularly is not allocated a password until changed within
the database itself then this can be set to SASL/GSSAPI after startup,
and the Heimdal user would have to be set in an initial ldif file
anyway- right?