Long ago we decided to use the ldapi socket to let the KDC access the
ldap data in order to avoid comunication over the network (even if it
is 127.0.0.1).

This patch finally implements that. Although beware that this patch
will need you to either create custom policy or to set selinux in
permissive mode until the new policy lands in fedora land.

Bugs have been opened and I think the policy has already landed in
rawhide.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
>From 5328b459ae3f55377b9609a796dd05dc026ba791 Mon Sep 17 00:00:00 2001
From: Simo Sorce <sso...@redhat.com>
Date: Wed, 19 Jan 2011 14:08:48 -0500
Subject: [PATCH] Make krb5kdc use the ldapi socket to talk to dirsrv

Fixes: https://fedorahosted.org/freeipa/ticket/812
---
 install/share/krb5.conf.template |    2 +-
 ipaserver/install/krbinstance.py |    2 ++
 2 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template
index ab569714bc7d49370ac65587b63bc23e6bd46ca0..9cf4ee84d5e12bc5ecf524f1544e87b2d787c476 100644
--- a/install/share/krb5.conf.template
+++ b/install/share/krb5.conf.template
@@ -34,7 +34,7 @@
 [dbmodules]
   $REALM = {
     db_library = kldap
-    ldap_servers = ldap://127.0.0.1/
+    ldap_servers = ldapi://%2fvar%2frun%2fslapd-$SERVER_ID.socket
     ldap_kerberos_container_dn = cn=kerberos,$SUFFIX
     ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX
     ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index e7c1116377a66954ecf4c024510e6d9dd79ba69d..9f706797fcbeb79bf0c58c60294c0fc7f6e5f4b9 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -35,6 +35,7 @@ from ipalib import errors
 
 from ipaserver import ipaldap
 from ipaserver.install import replication
+from ipaserver.install.dsinstance import realm_to_serverid
 
 import ldap
 from ldap import LDAPError
@@ -255,6 +256,7 @@ class KrbInstance(service.Service):
                              SUFFIX=self.suffix,
                              DOMAIN=self.domain,
                              HOST=self.host,
+                             SERVER_ID=realm_to_serverid(self.realm),
                              REALM=self.realm)
 
     def __configure_sasl_mappings(self):
-- 
1.7.3.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to