Kerberos syncrepl support for OpenLDAP
Jaap Winius
jwinius at umrk.nl
Tue Jan 12 15:10:15 EST 2010
On Mon, 11 Jan 2010 15:24:49 -0800, Russ Allbery wrote:
>> Before I begin, let me say that, in this case, Kerberos only offers
>> encrypted authentication and not data encryption for the OpenLDAP
>> replication phase; ...
>
> That doesn't sound right. ...
That's because I was dead wrong about that. My apologies.
> ... GSSAPI offers confidentiality and OpenLDAP in
> general knows how to use GSSAPI via SASL to obtain confidentiality.
Indeed, I've since learned (and verified with tcpdump) that Kerberos
offers encryption as well as authentication. I was very happy to learn
that. :-)
> Rather than backgrounding k5start using the shell, you probably want to
> use its -b flag. ... You can run k5start as root and have it chown the
> ticket cache to another user, rather than having to change the shell of
> the openldap user.
Excellent! My new k5start command, which can be executed as root, looks
like this:
k5start -U -f /etc/krb5.keytab -b -K 10 -l 24h \
-k /tmp/krb5cc_105 -o openldap
I also found out that the name of the credential cache (/tmp) file is not
arbitrary. In particular, the file name must end with the UID number of
the user that it's for, in my case the openldap user with UID=105. At
least, that's the way it works on Debian lenny.
Incidentally, with kstart 3.15, if the -o flag is used without -k, a
segfault and a core dump will be the result.
Thanks!
Jaap
More information about the Kerberos
mailing list