> I try to setup en kerberos/LDAP environment and I fail to setup the nss-ldap
> with SASL.
I have succeeded with the following additions to my /etc/nss-ldapd.conf:
use_sasl on
sasl_mech GSSAPI
krb5_ccname FILE:/tmp/krb5cc_host
(Note: I didn't have to specify binddn or sasl_authcid, the default is
to derive it from the principal in the Kerberos credentials cache.)
I did have to make the credentials cache readable and writeable by user
(and/or group) nslcd.
The credentials cache is initially populated using k5start (Debian package
kstart). For example:
k5start -b -K 60 -u host -i `hostname -f` -f /etc/krb5.keytab \
-k /tmp/krb5cc_host -g nslcd -m 660
(I'm not too happy about giving a non-root user access to my host
principal key, so I'm not sure I'll use exactly this in production;
but it works, and variations on the theme are possible.)
> As libnss-ldapd use a separate daemon to make the LDAP request it seems
> legitimate to permit to specify a keytab to initiate a kinit when starting,
> possibly with renew/reinit on ticket expiry.
This is legitimate even with the old architecture of libnss-ldap (in fact,
recent versions of libnss-ldap include this feature) but adds complexity
to the code base by duplicating functionality that is available in other
ways (e.g. through k5start). I must question whether it's worth the trouble.
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
