Hi folks,
i have just installed openldap and i am facing a situation i would like to share with you.
In OpenBSD (the OS i am using) i have the keytab file inside /etc/kerberosV. Its access mode is 600, its ownership is root:wheel. But OpenBSD specifies a user and group the slapd daemon should run as; the user is "u" and group "g". In order to get SASL/GSSAPI working i need to add to the keytab the principal ldap/host.my.domain. I did it; now the keytab has the principals host/x.y.z and ldap/x.y.z
But since slapd runs as another user it is prevented from accessing the keytab file. So i thought the following possible solutions:
0) Run slapd as root 1) change the permission of the keytab
Any of those options above makes security less secure. I known there should be some more approaches, but i cannot think it right now.
How did you handle that?
Thanks a lot for your time and cooperation.
Best regards.
Am Tue, 28 Jun 2011 16:05:06 -0300 schrieb Friedrich Locke friedrich.locke@gmail.com:
Hi folks,
i have just installed openldap and i am facing a situation i would like to share with you.
In OpenBSD (the OS i am using) i have the keytab file inside /etc/kerberosV. Its access mode is 600, its ownership is root:wheel. But OpenBSD specifies a user and group the slapd daemon should run as; the user is "u" and group "g". In order to get SASL/GSSAPI working i need to add to the keytab the principal ldap/host.my.domain. I did it; now the keytab has the principals host/x.y.z and ldap/x.y.z
But since slapd runs as another user it is prevented from accessing the keytab file. So i thought the following possible solutions:
- Run slapd as root
- change the permission of the keytab
Any of those options above makes security less secure. I known there should be some more approaches, but i cannot think it right now.
How did you handle that?
Create a ldap keytab and set apropriate permissions.
-Dieter
On 28/06/11 16:05 -0300, Friedrich Locke wrote:
Hi folks,
i have just installed openldap and i am facing a situation i would like to share with you.
In OpenBSD (the OS i am using) i have the keytab file inside /etc/kerberosV. Its access mode is 600, its ownership is root:wheel. But OpenBSD specifies a user and group the slapd daemon should run as; the user is "u" and group "g". In order to get SASL/GSSAPI working i need to add to the keytab the principal ldap/host.my.domain. I did it; now the keytab has the principals host/x.y.z and ldap/x.y.z
But since slapd runs as another user it is prevented from accessing the keytab file. So i thought the following possible solutions:
- Run slapd as root
- change the permission of the keytab
Any of those options above makes security less secure. I known there should be some more approaches, but i cannot think it right now.
If your GSSAPI mechanism is compiled against heimdal, you should be able to specify an alternate location for your keytab file. Create/edit /usr/lib/sasl2/slapd.conf (or the location specified by --with-configdir at sasl compile time), and customize the location with:
keytab: /etc/kerberosV-ldap
with read permissions for your slapd user.
Another option is to create a new system group (e.g. 'keytab'), and set ownership of /etc/kerberosV to 'root:keytab', with read permissions for keytab, and add your slapd user (and other necessary members) to that group. Write permissions should not be necessary.
--On Wednesday, June 29, 2011 11:56 AM -0500 Dan White dwhite@olp.net wrote:
If your GSSAPI mechanism is compiled against heimdal, you should be able to specify an alternate location for your keytab file. Create/edit /usr/lib/sasl2/slapd.conf (or the location specified by --with-configdir at sasl compile time), and customize the location with:
You shouldn't require a sasl2/slapd.conf at all. Just do something like:
export KRB5_KTNAME=/etc/ldap.keytab
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Dan White -
Dieter Kluenter -
Friedrich Locke -
Quanah Gibson-Mount