[31907] in Kerberos
Re: Kerberos syncrepl support for OpenLDAP
daemon@ATHENA.MIT.EDU (Jaap Winius)
Tue Jan 12 15:38:57 2010
From: Jaap Winius <jwinius@umrk.nl>
MIME-Version: 1.0
Date: 12 Jan 2010 20:10:15 GMT
Message-ID: <4b4cd727$0$1958$e4fe514c@dreader16.news.xs4all.nl>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Mon, 11 Jan 2010 15:24:49 -0800, Russ Allbery wrote:
>> Before I begin, let me say that, in this case, Kerberos only offers
>> encrypted authentication and not data encryption for the OpenLDAP
>> replication phase; ...
>
> That doesn't sound right. ...
That's because I was dead wrong about that. My apologies.
> ... GSSAPI offers confidentiality and OpenLDAP in
> general knows how to use GSSAPI via SASL to obtain confidentiality.
Indeed, I've since learned (and verified with tcpdump) that Kerberos
offers encryption as well as authentication. I was very happy to learn
that. :-)
> Rather than backgrounding k5start using the shell, you probably want to
> use its -b flag. ... You can run k5start as root and have it chown the
> ticket cache to another user, rather than having to change the shell of
> the openldap user.
Excellent! My new k5start command, which can be executed as root, looks
like this:
k5start -U -f /etc/krb5.keytab -b -K 10 -l 24h \
-k /tmp/krb5cc_105 -o openldap
I also found out that the name of the credential cache (/tmp) file is not
arbitrary. In particular, the file name must end with the UID number of
the user that it's for, in my case the openldap user with UID=105. At
least, that's the way it works on Debian lenny.
Incidentally, with kstart 3.15, if the -o flag is used without -k, a
segfault and a core dump will be the result.
Thanks!
Jaap
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
