On Thu, 2009-03-05 at 02:43 +0100, Michael Ströder wrote:
Da Rock wrote:
I'm not sure you quite understand what I mean here-
I think I do. ;-)
There's no reason why you shouldn't be able to do the following:
LDAP Client --ldap:// with SASL/GSSAPI--> slapd --KRB5--> heimdal KDC --ldapi:// with SASL/EXTERNAL--> slapd
In fact the picture is a bit more complicated but I'm too tired to draw the real one. Hope you get the idea.
Actually thats very well presented- at least I get what your saying.
A hiccup here is that I mean that there is no ldap client- yet. I'm talking about at startup, slapd looks to authenticate with kerberos as a service, and kerberos is using ldap as the backend store and needs to authenticate to do so, which kerberos can't do as ldap hasn't authenticated yet as a service.
I can see several options/problems:
1. this would/should only be a problem on the initial startup and again IF the system goes down longer than the ticket lifetime.
2. The initial startup shouldn't be a problem as the password could be changed to SASL/GSSAPI once the system is up and running.
IF rootdn particularly is not allocated a password until changed within the database itself then this can be set to SASL/GSSAPI after startup, and the Heimdal user would have to be set in an initial ldif file anyway- right?