[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: seperate keytab files

To: OpenLDAP-software@OpenLDAP.org
Subject: Re: seperate keytab files
From: Donn Cave <donn@u.washington.edu>
Date: Mon, 4 Apr 2005 09:23:30 -0700
In-reply-to: <e010d69b05040409024136ba78@mail.gmail.com>

On Monday, April 4, 2005, at 09:02 AM, Gaurav Sharma wrote:

Is there a way to run MIT kerberos v5 1.3.x and openldap 2.2.x using
cyrus-sasl without setting KRB5_KTNAME environment variable?

The reason I want to do this is because I have other kerberized
applications running whose authentication fails if I set
KRB5_KTNAME=/xxx/ldap.keytab (which contains the LDAP service
principle), for GSSAPI auth. I don't want ldap to have access to the
/etc/krb5.keytab file.


I don't know how you're setting KRB5_KTNAME in this case, but
if it's set in slapd's environment only, it will apply only to
slapd (and anything invoked by slapd, which doesn't seem like
it should be a problem.)

You can do this in the startup script, e.g.,
   KRB5_KTNAME=/xxx/ldap.keytab
   export KRB5_KTNAME
   slapd -h ldap://$hostname

or more succinctly, and more obviously limited to the
slapd process only,

   KRB5_KTNAME=/xxx/ldap.keytab slapd -h ldap://$hostname

	Donn Cave, donn@u.washington.edu

References:
- seperate keytab files
  - From: Gaurav Sharma <gauravsharma0@gmail.com>

Prev by Date: seperate keytab files
Next by Date: Re: seperate keytab files
Index(es):
- Chronological
- Thread