--On Tuesday, February 27, 2007 6:34 PM -0800 Enrique Rodriguez
<[EMAIL PROTECTED]> wrote:
On 2/27/07, Mark Wilcox <[EMAIL PROTECTED]> wrote:
I have a quick question. Did you use the example Kerberos entries that
come with ApacheDS or are there example entries posted elsewhere?
I didn't see them on the Wiki docs.
No, I haven't posted them yet. This is pretty alpha, which is why I
put them in the sandbox. I'm not sure which example Kerberos entries
you're referring to, but IIRC the example we ship has entries for
similar services, like krbtgt, changepw, and ssh. Below is a quick
entry for an LDAP server. You need an LDAP service principal, krbtgt
entry, and at least one user principal to make this work. The key
thing is the format of the LDAP service principal name:
Use 'ldap' for LDAP:
krb5PrincipalName: ldap/[EMAIL PROTECTED]
Although this is the attribute I use for my OpenLDAP directories, I will
note that this attribute is not the part of any RFC standard. In fact,
there is no RFC standardized way of storing Kerberos principals in a
directory that I'm aware of. I raised this issue to MIT and Heimdal once,
and apparently they are "working" on something. But that was several years
ago. I certainly would ensure that this not be a hard-coded method of
making SASL/GSSAPI work. The sasl-regexp bits from OpenLDAP are pretty
handy in this area, you may wish to review them if you haven't yet.
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
