Tobias Mayer <[email protected]> writes: > I was able to get the overlay to load, but unfortunately not without a > major drawback:
> by using slapd.conf i got slapd to write the following to syslog: > Jun 21 16:16:52 iclinux1 slapd[2625]: smbk5pwd: unable to initialize krb5 > admin context: failed to open /var/lib/heimdal-kdc/m-key: Permission > denied (13). > after opening the permissions to the openldap user, the ldif applies just > fine. > for me this is not a big problem, since i don't use kerberos. But > nonetheless, i think heimdal-kdc should have it's own group, and > openldap should be a member there. Definitely not as a default configuration. Under normal circumstances, there's no way that the LDAP server should have direct access to the KDC database. The KDC database is generally the single most security-sensitive thing on whatever machine on which it's running. That error message indicates that the plugin is using server-mode kadmin, which surprises me. Shouldn't it be using client-mode kadmin with a keytab for a known principal that has the appropriate access in kadmind.acl? -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

