This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 144493 - Handling of KRB5_KTNAME environment variable
Handling of KRB5_KTNAME environment variable
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: openldap (Show other bugs)
3
All Linux
medium Severity low
: ---
: ---
Assigned To: Jay Fenlason
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-01-07 13:13 EST by Aleksandar Milivojevic
Modified: 2014-08-31 19:27 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-11-29 10:20:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
/etc/init.d/ldap patch to handle KRB5_KTNAME (600 bytes, patch)
2005-01-07 13:14 EST, Aleksandar Milivojevic
no flags Details | Diff

  None (edit)
Description Aleksandar Milivojevic 2005-01-07 13:13:08 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041111 Firefox/1.0

Description of problem:
Currently, there is only one way to specify alternative Kerberos
keytab file when starting slapd, and that is using KRB5_KTNAME
environment variable.  Use of this variable is needed, since keytab
file shouldn't be readable by ordinary users, and system-wide keytab
file is owned by user root and readable only by root (hence need for
separate keytab file, group-readable by ldap group that contains key
for ldap/hostname@REALM service principal).

It would be nice if /etc/init.d/ldap would check if KRB5_KTNAME is
defined and non-empty (for example in /etc/sysconfig/ldap) and export
it before starting slapd.

Workaround (that I'm currently using) is placing export statement
directly into /etc/sysconfing/ldap:

KRB5_KTNAME=....
export KRB5_KTNAME


Version-Release number of selected component (if applicable):
openldap-servers-2.2.13-2

How reproducible:
Always

Steps to Reproduce:
1. Attempt using GSSAPI with slapd/ldapsearch


Additional info:
Comment 1 Aleksandar Milivojevic 2005-01-07 13:14:15 EST
Created attachment 109482 [details]
/etc/init.d/ldap patch to handle KRB5_KTNAME
Comment 2 Rudi Chiarito 2005-05-21 13:43:12 EDT
Was this recently fixed?

https://www.redhat.com/archives/fedora-cvs-commits/2005-April/msg01356.html

Just helping Fedora's and Nalin's bug lists shrink.
Comment 3 Aleksandar Milivojevic 2005-05-21 23:07:00 EDT
Yup, looking in the current sources from development tree, it seems to be fixed
and handled in much more elaborate way than in my simple patch.  I guess this
could be closed as RAWHIDE.
Comment 4 Matthew Miller 2006-07-10 19:03:55 EDT
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.

Thank you!

Note You need to log in before you can comment on or make changes to this bug.