[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LDAP -> Heimdal -> LDAP

Tarjei Huse wrote:
> Alejandro Mery wrote:
>>> https://sec.miljovern.no/bin/view/Info/HeimdalKerberosSambaAndOpenLdap
> If you guys find something that is wrong or might be done smarter 
> another way, do not hesitate to tell me!
> Also I'd like input on how to configure more applications to use kerberos.
> Tarjei

I've never actually run into any problems with the minssf issue using 
LDAPI, so I'm puzzled about why that discussion began.

The /usr/lib/sasl2/slapd.conf you recommend should not be needed. If you 
see a GSSAPI error as your document notes, that indicates that the LDAP 
principal is missing, and changing sasl2/slapd.conf won't do anything to 
fix that. Also, slapd has an internal auxprop mech that can be used to 
satisfy password-based SASL mechs, it would be best to keep it in place. 
Since GSSAPI does not use a password, it will bypass the auxprop 
automatically, so there's no need to explicitly select gssapi there.

The smbk5pwd plugin in OpenLDAP CVS (also in release 2.3) will help keep 
Kerberos, Samba, and LDAP sumple binds synchronized, you should look 
into using it. Oddly enough, I wrote this module at Andrew Bartlett's 
request but it appears that he's not using it.

   -- Howard Chu
   Chief Architect, Symas Corp.       Director, Highland Sun
   http://www.symas.com               http://highlandsun.com/hyc
   Symas: Premier OpenSource Development and Support