[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: LDAP -> Heimdal -> LDAP
Tarjei Huse wrote:
> Alejandro Mery wrote:
> If you guys find something that is wrong or might be done smarter
> another way, do not hesitate to tell me!
> Also I'd like input on how to configure more applications to use kerberos.
I've never actually run into any problems with the minssf issue using
LDAPI, so I'm puzzled about why that discussion began.
The /usr/lib/sasl2/slapd.conf you recommend should not be needed. If you
see a GSSAPI error as your document notes, that indicates that the LDAP
principal is missing, and changing sasl2/slapd.conf won't do anything to
fix that. Also, slapd has an internal auxprop mech that can be used to
satisfy password-based SASL mechs, it would be best to keep it in place.
Since GSSAPI does not use a password, it will bypass the auxprop
automatically, so there's no need to explicitly select gssapi there.
The smbk5pwd plugin in OpenLDAP CVS (also in release 2.3) will help keep
Kerberos, Samba, and LDAP sumple binds synchronized, you should look
into using it. Oddly enough, I wrote this module at Andrew Bartlett's
request but it appears that he's not using it.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support