Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 144493 - Handling of KRB5_KTNAME environment variable
Handling of KRB5_KTNAME environment variable
Product: Fedora
Classification: Fedora
Component: openldap (Show other bugs)
All Linux
medium Severity low
: ---
: ---
Assigned To: Jay Fenlason
Depends On:
  Show dependency treegraph
Reported: 2005-01-07 13:13 EST by Aleksandar Milivojevic
Modified: 2014-08-31 19:27 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-11-29 10:20:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
/etc/init.d/ldap patch to handle KRB5_KTNAME (600 bytes, patch)
2005-01-07 13:14 EST, Aleksandar Milivojevic
no flags Details | Diff

  None (edit)
Description Aleksandar Milivojevic 2005-01-07 13:13:08 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041111 Firefox/1.0

Description of problem:
Currently, there is only one way to specify alternative Kerberos
keytab file when starting slapd, and that is using KRB5_KTNAME
environment variable.  Use of this variable is needed, since keytab
file shouldn't be readable by ordinary users, and system-wide keytab
file is owned by user root and readable only by root (hence need for
separate keytab file, group-readable by ldap group that contains key
for ldap/hostname@REALM service principal).

It would be nice if /etc/init.d/ldap would check if KRB5_KTNAME is
defined and non-empty (for example in /etc/sysconfig/ldap) and export
it before starting slapd.

Workaround (that I'm currently using) is placing export statement
directly into /etc/sysconfing/ldap:

export KRB5_KTNAME

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Attempt using GSSAPI with slapd/ldapsearch

Additional info:
Comment 1 Aleksandar Milivojevic 2005-01-07 13:14:15 EST
Created attachment 109482 [details]
/etc/init.d/ldap patch to handle KRB5_KTNAME
Comment 2 Rudi Chiarito 2005-05-21 13:43:12 EDT
Was this recently fixed?


Just helping Fedora's and Nalin's bug lists shrink.
Comment 3 Aleksandar Milivojevic 2005-05-21 23:07:00 EDT
Yup, looking in the current sources from development tree, it seems to be fixed
and handled in much more elaborate way than in my simple patch.  I guess this
could be closed as RAWHIDE.
Comment 4 Matthew Miller 2006-07-10 19:03:55 EDT
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.

Thank you!

Note You need to log in before you can comment on or make changes to this bug.