OpenLDAP -> GSSAPI (SASL) -> KERBEROS V Questions
Donn Cave
donn at u.washington.edu
Tue Oct 19 13:09:19 EDT 2004
In article <4174FA8B.8010003 at samba.org>,
jerry at samba.org ("Gerald (Jerry) Carter") wrote:
> Matt Joyce wrote:
...
> | How can I get more verbose error logs without recompiling?
>
> Verbose error logs for the krb libs or for Openldap ?
The normal level syslog logs from the Kerberos KDC host
can be pretty useful when there are authentication problems
involving a service principal.
The application error messages from the Cyrus SASL GSSAPI
module will help a little, but unfortunately tend to omit
specifics of the error.
> | And, once i've generated my ldap principal, and his key...
> | can I copy the key out of the keytab and chown/chmod it for
> | ldap in another directory and expect it to work?
>
> Since (as Sam already said), the service principal
> name is ldap/fqdn at REALM, each ldap server will need its
> own keytab. It sounds like you are asking if you can
> use the same keytab for multiple OpenLDAP installations.
> Sorry if i misunderstood.
Or could be intending to run slapd under a less privileged
UID than 0, for whom /etc/krb5.keytab is inaccessible.
There's no reason that can't work, as long as you can specify
the location of the keytab. The krb5 library mechanism for
that, an enviroment variable KRB5_KTNAME, is the only way
that comes to mind.
Donn Cave, donn at u.washington.edu
More information about the Kerberos
mailing list