Red Hat Bugzilla – Bug 144493
Handling of KRB5_KTNAME environment variable
Last modified: 2014-08-31 19:27:07 EDT
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041111 Firefox/1.0 Description of problem: Currently, there is only one way to specify alternative Kerberos keytab file when starting slapd, and that is using KRB5_KTNAME environment variable. Use of this variable is needed, since keytab file shouldn't be readable by ordinary users, and system-wide keytab file is owned by user root and readable only by root (hence need for separate keytab file, group-readable by ldap group that contains key for ldap/hostname@REALM service principal). It would be nice if /etc/init.d/ldap would check if KRB5_KTNAME is defined and non-empty (for example in /etc/sysconfig/ldap) and export it before starting slapd. Workaround (that I'm currently using) is placing export statement directly into /etc/sysconfing/ldap: KRB5_KTNAME=.... export KRB5_KTNAME Version-Release number of selected component (if applicable): openldap-servers-2.2.13-2 How reproducible: Always Steps to Reproduce: 1. Attempt using GSSAPI with slapd/ldapsearch Additional info:
Created attachment 109482 [details] /etc/init.d/ldap patch to handle KRB5_KTNAME
Was this recently fixed? https://www.redhat.com/archives/fedora-cvs-commits/2005-April/msg01356.html Just helping Fedora's and Nalin's bug lists shrink.
Yup, looking in the current sources from development tree, it seems to be fixed and handled in much more elaborate way than in my simple patch. I guess this could be closed as RAWHIDE.
Fedora Core 3 is now maintained by the Fedora Legacy project for security updates only. If this problem is a security issue, please reopen and reassign to the Fedora Legacy product. If it is not a security issue and hasn't been resolved in the current FC5 updates or in the FC6 test release, reopen and change the version to match. Thank you!