[Date Prev][Date Next] [Chronological] [Thread] [Top]

kerberos ldap/host.my.domain

To: openldap-technical@openldap.org
Subject: kerberos ldap/host.my.domain
From: Friedrich Locke <friedrich.locke@gmail.com>
Date: Tue, 28 Jun 2011 16:05:06 -0300
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=oNx2CNwBQ+LRbftaJcalP+9U8Ercax+Yhgn0kkGBgBA=; b=RU7tRxznPjrz6Q1zvVO0fNSqiSP+rQNc/P9I2koV3QgSxXSM2IwIVPXPSDIuehSBEb XKJhG7jmcCG9cc6qvujqz0gC8jvaR4XUivia1AwYasm0zJMbNdEHTwORopwieSwQR8QU bM1TSW+6DDTkNOe7AoHjnlOYh2YBB1qLLuM/0=

Hi folks,

i have just installed openldap and i am facing a situation i would
like to share with you.

In OpenBSD (the OS i am using) i have the keytab file inside
/etc/kerberosV. Its access mode is 600, its ownership is root:wheel.
But OpenBSD specifies a user and group the slapd daemon should run as;
the user is "u" and group "g".
In order to get SASL/GSSAPI working i need to add to the keytab the
principal ldap/host.my.domain. I did it; now the keytab has the
principals host/x.y.z and ldap/x.y.z

But since slapd runs as another user it is prevented from accessing
the keytab file.
So i thought the following possible solutions:

0) Run slapd as root
1) change the permission of the keytab

Any of those options above makes security less secure.
I known there should be some more approaches, but i cannot think it right now.

How did you handle that?

Thanks a lot for your time and cooperation.

Best regards.

Follow-Ups:
- Re: kerberos ldap/host.my.domain
  - From: Dieter Kluenter <dieter@dkluenter.de>
- Re: kerberos ldap/host.my.domain
  - From: Dan White <dwhite@olp.net>

Prev by Date: Re: access
Next by Date: slaptest returns "index attribute "reqStart" undefined
Index(es):
- Chronological
- Thread