Red Hat Bugzilla – Bug 144493
Handling of KRB5_KTNAME environment variable
Last modified: 2014-08-31 19:27:07 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Description of problem:
Currently, there is only one way to specify alternative Kerberos
keytab file when starting slapd, and that is using KRB5_KTNAME
environment variable. Use of this variable is needed, since keytab
file shouldn't be readable by ordinary users, and system-wide keytab
file is owned by user root and readable only by root (hence need for
separate keytab file, group-readable by ldap group that contains key
for ldap/hostname@REALM service principal).
It would be nice if /etc/init.d/ldap would check if KRB5_KTNAME is
defined and non-empty (for example in /etc/sysconfig/ldap) and export
it before starting slapd.
Workaround (that I'm currently using) is placing export statement
directly into /etc/sysconfing/ldap:
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Attempt using GSSAPI with slapd/ldapsearch
Created attachment 109482 [details]
/etc/init.d/ldap patch to handle KRB5_KTNAME
Was this recently fixed?
Just helping Fedora's and Nalin's bug lists shrink.
Yup, looking in the current sources from development tree, it seems to be fixed
and handled in much more elaborate way than in my simple patch. I guess this
could be closed as RAWHIDE.
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.