Am Tue, 28 Jun 2011 16:05:06 -0300 schrieb Friedrich Locke <[email protected]>:
> Hi folks, > > i have just installed openldap and i am facing a situation i would > like to share with you. > > In OpenBSD (the OS i am using) i have the keytab file inside > /etc/kerberosV. Its access mode is 600, its ownership is root:wheel. > But OpenBSD specifies a user and group the slapd daemon should run as; > the user is "u" and group "g". > In order to get SASL/GSSAPI working i need to add to the keytab the > principal ldap/host.my.domain. I did it; now the keytab has the > principals host/x.y.z and ldap/x.y.z > > But since slapd runs as another user it is prevented from accessing > the keytab file. > So i thought the following possible solutions: > > 0) Run slapd as root > 1) change the permission of the keytab > > Any of those options above makes security less secure. > I known there should be some more approaches, but i cannot think it > right now. > > How did you handle that? Create a ldap keytab and set apropriate permissions. -Dieter -- Dieter Klünter | Systemberatung sip: [email protected] http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
