On Thu, 2009-03-05 at 02:43 +0100, Michael Ströder wrote:
Da Rock wrote:
> I'm not sure you quite understand what I mean here-
I think I do. ;-)
There's no reason why you shouldn't be able to do the following:
--ldap:// with SASL/GSSAPI--> slapd
--KRB5--> heimdal KDC
--ldapi:// with SASL/EXTERNAL--> slapd
In fact the picture is a bit more complicated but I'm too tired to draw
the real one. Hope you get the idea.
Actually thats very well presented- at least I get what your saying.
A hiccup here is that I mean that there is no ldap client- yet. I'm
talking about at startup, slapd looks to authenticate with kerberos as a
service, and kerberos is using ldap as the backend store and needs to
authenticate to do so, which kerberos can't do as ldap hasn't
authenticated yet as a service.
I can see several options/problems:
1. this would/should only be a problem on the initial startup and again
IF the system goes down longer than the ticket lifetime.
2. The initial startup shouldn't be a problem as the password could be
changed to SASL/GSSAPI once the system is up and running.
IF rootdn particularly is not allocated a password until changed within
the database itself then this can be set to SASL/GSSAPI after startup,
and the Heimdal user would have to be set in an initial ldif file