[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heimdal/OpenLDAP/Samba howto and bugreport

A few comments...

If one were to add the suggested access statement:
  access to *
      by dn="uid=heimdal,dc=services,dc=padl,dc=com" write

before other access statements, then no other user (including
anonymous) can access anything (due to the implicit "by * none stop"
in all access statements).  (If it was added after other access
statements it likely would have no effect (as access to * would
likely already be described).  Also, it really dn.exact= instead of
dn=.  A better access statement would be:
  access to *
        by dn.exact="uid=heimdal,dc=services,dc=padl,dc=com" write
        by * none breakwith a note that this should be included above other statements.
  access to *
        by dn.exact="uid=heimdal,dc=services,dc=padl,dc=com" write
        ...(... indicating the admin needs to integrate this with their other
access statements).

Regarding commenting out sasl-secprops minssf=128, it might
be better to instead lower the minssf to 70.  The base SSF of
ldapi:// is currently 71.  We figured that use of ldapi:// was better
than weak encryption (<65) but not as good as stronger
encryption (>95), hence the 71.  The ldapi:// SSF should really
be a configurable option.  I'll add that to our TODO list.


At 09:40 AM 5/31/2004, Love wrote:

>Tarjei Huse <tarjei@nu.no> writes:
>>> I would like to include it with the documtation we ship with heimdal, and I
>>> guess we should rebuild the htmlized info documtation every night so it
>>> happends.
>> Good :-)
>>> If your howto don't fit into the info documetation in a good way, I can put
>>> them up on the website (on train right now, can't check).
>> Ok, both things are good IMHO. I think we should decide on how to do the
>> configuration before I move the howto, but once that has been done, then
>> it should be included here and there.
>> I'm planning to expand the section on using kerberos to include services
>> like ssh, cyrus-imapd and emailclients.
>So I've folded in most comments into the already existing document that was
>based on Luke Howards document, you can find a snapshot here (its all
>commited, so it will be in next snapshot).
>The third point in your TroubleshootingGuide (missing krb5KeyVersionNumber)
>was a bug and is now fixed.