[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heimdal/OpenLDAP/Samba howto and bugreport

To: Love <lha@stacken.kth.se>
Subject: Re: Heimdal/OpenLDAP/Samba howto and bugreport
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.Org>
Date: Mon, 31 May 2004 11:07:13 -0700
Cc: tarjei@nu.no, heimdal-discuss@sics.se
In-Reply-To: <amfz9gv9bg.fsf@nutcracker.stacken.kth.se>
References: <1085567567.3321.234.camel@elprinsessekaja.mail.nu.no><amr7t6f75f.fsf@nutcracker.stacken.kth.se><1085759514.3578.561.camel@elprinsessekaja.mail.nu.no><am65af8uoq.fsf@nutcracker.stacken.kth.se><1085844599.1553.28.camel@heimen.local><amfz9gv9bg.fsf@nutcracker.stacken.kth.se>
Sender: owner-heimdal-discuss@sics.se

A few comments...

If one were to add the suggested access statement:
  access to *
      by dn="uid=heimdal,dc=services,dc=padl,dc=com" write

before other access statements, then no other user (including
anonymous) can access anything (due to the implicit "by * none stop"
in all access statements).  (If it was added after other access
statements it likely would have no effect (as access to * would
likely already be described).  Also, it really dn.exact= instead of
dn=.  A better access statement would be:
  access to *
        by dn.exact="uid=heimdal,dc=services,dc=padl,dc=com" write
        by * none breakwith a note that this should be included above other statements.
Or:
  access to *
        by dn.exact="uid=heimdal,dc=services,dc=padl,dc=com" write
        ...(... indicating the admin needs to integrate this with their other
access statements).

Regarding commenting out sasl-secprops minssf=128, it might
be better to instead lower the minssf to 70.  The base SSF of
ldapi:// is currently 71.  We figured that use of ldapi:// was better
than weak encryption (<65) but not as good as stronger
encryption (>95), hence the 71.  The ldapi:// SSF should really
be a configurable option.  I'll add that to our TODO list.

Kurt

At 09:40 AM 5/31/2004, Love wrote:

>Tarjei Huse <tarjei@nu.no> writes:
>
>>> I would like to include it with the documtation we ship with heimdal, and I
>>> guess we should rebuild the htmlized info documtation every night so it
>>> happends.
>> Good :-)
>>
>>> If your howto don't fit into the info documetation in a good way, I can put
>>> them up on the website (on train right now, can't check).
>>
>> Ok, both things are good IMHO. I think we should decide on how to do the
>> configuration before I move the howto, but once that has been done, then
>> it should be included here and there.
>>
>> I'm planning to expand the section on using kerberos to include services
>> like ssh, cyrus-imapd and emailclients.
>
>So I've folded in most comments into the already existing document that was
>based on Luke Howards document, you can find a snapshot here (its all
>commited, so it will be in next snapshot).
>
>http://people.su.se/~lha/patches/heimdal/ldap-info-doc.txt
>
>The third point in your TroubleshootingGuide (missing krb5KeyVersionNumber)
>was a bug and is now fixed.
>
>Love
>

Follow-Ups:
- RE: Heimdal/OpenLDAP/Samba howto and bugreport
  - From: "Howard Chu" <hyc@highlandsun.com>

References:
- Heimdal/OpenLDAP/Samba howto and bugreport
  - From: Tarjei Huse <tarjei@nu.no>
- Re: Heimdal/OpenLDAP/Samba howto and bugreport
  - From: Tarjei Huse <tarjei@nu.no>
- Re: Heimdal/OpenLDAP/Samba howto and bugreport
  - From: Love <lha@stacken.kth.se>
- Re: Heimdal/OpenLDAP/Samba howto and bugreport
  - From: Tarjei Huse <tarjei@nu.no>
- Re: Heimdal/OpenLDAP/Samba howto and bugreport
  - From: Love <lha@stacken.kth.se>

Prev by Date: Re: Heimdal/OpenLDAP/Samba howto and bugreport
Next by Date: RE: Heimdal/OpenLDAP/Samba howto and bugreport
Prev by thread: Re: Heimdal/OpenLDAP/Samba howto and bugreport
Next by thread: RE: Heimdal/OpenLDAP/Samba howto and bugreport
Index(es):
- Date
- Thread