Hi folks,
i have just installed openldap and i am facing a situation i would like to share with you.
In OpenBSD (the OS i am using) i have the keytab file inside /etc/kerberosV. Its access mode is 600, its ownership is root:wheel. But OpenBSD specifies a user and group the slapd daemon should run as; the user is "u" and group "g". In order to get SASL/GSSAPI working i need to add to the keytab the principal ldap/host.my.domain. I did it; now the keytab has the principals host/x.y.z and ldap/x.y.z
But since slapd runs as another user it is prevented from accessing the keytab file. So i thought the following possible solutions:
0) Run slapd as root 1) change the permission of the keytab
Any of those options above makes security less secure. I known there should be some more approaches, but i cannot think it right now.
How did you handle that?
Thanks a lot for your time and cooperation.
Best regards.