[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Fwd: Help pls : KDC w/LDAP backend

To: Pascal Jakobi <pascal.jakobi@gmail.com>
Subject: Re: Fwd: Help pls : KDC w/LDAP backend
From: "Paul B. Henson" <henson@acm.org>
Date: Mon, 2 Jan 2017 21:43:42 -0800
Cc: openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <CAFAKxWX_U-_VESNQT9qEXH6f9bYoTQ7bf+BAz+GDoQWPk+TXog@mail.gmail.com>
References: <CAFAKxWUiqtfUVeZw3tavT_5B9j8266f5QD95TiDuQodHS7BNBA@mail.gmail.com> <CAFAKxWX_U-_VESNQT9qEXH6f9bYoTQ7bf+BAz+GDoQWPk+TXog@mail.gmail.com>
User-agent: Mutt/1.5.24 (2015-08-30)

On Mon, Jan 02, 2017 at 08:27:29AM +0100, Pascal Jakobi wrote:

> My LDAP ACLs are as follows :

Just as a reference, the ACLs we use are:

access to attrs=userPassword
        by anonymous auth

access to dn.subtree="cn=container,ou=kerberos"
        by dn="cn=kdc,ou=service,ou=kerberos" write
        by dn="cn=kadmin,ou=service,ou=kerberos" write
        by * none break

access to dn.exact="ou=kerberos" attrs=entry,contextCSN,objectClass
        by dn="cn=slapd-checksync,ou=service,ou=kerberos" read
        by * none break

access to *
        by dn.exact="cn=slapd-syncrepl,ou=service,ou=kerberos" read
        by * none


We've never had an issue. The first stanza allows the various service
accounts to authenticate, the second provides access to the kdc and
kadmin services, the third to a replication check account, and the last
to the syncrepl service. We run separate dedicated ldap servers for our
kerberos backends on each kdc, we don't mix the kerberos ldap data into
our normal ldap systems.

References:
- Fwd: Help pls : KDC w/LDAP backend
  - From: Pascal Jakobi <pascal.jakobi@gmail.com>

Prev by Date: Re: ppolicy overlay unable to set pwdAccountLockedTime on to-be-locked users due to ACLs
Next by Date: Antw: Re: ppolicy overlay unable to set pwdAccountLockedTime on to-be-locked users due to ACLs
Index(es):
- Chronological
- Thread