On Mon, 11 Jan 2010 15:24:49 -0800, Russ Allbery wrote: >> Before I begin, let me say that, in this case, Kerberos only offers >> encrypted authentication and not data encryption for the OpenLDAP >> replication phase; ... > > That doesn't sound right. ...
That's because I was dead wrong about that. My apologies. > ... GSSAPI offers confidentiality and OpenLDAP in > general knows how to use GSSAPI via SASL to obtain confidentiality. Indeed, I've since learned (and verified with tcpdump) that Kerberos offers encryption as well as authentication. I was very happy to learn that. :-) > Rather than backgrounding k5start using the shell, you probably want to > use its -b flag. ... You can run k5start as root and have it chown the > ticket cache to another user, rather than having to change the shell of > the openldap user. Excellent! My new k5start command, which can be executed as root, looks like this: k5start -U -f /etc/krb5.keytab -b -K 10 -l 24h \ -k /tmp/krb5cc_105 -o openldap I also found out that the name of the credential cache (/tmp) file is not arbitrary. In particular, the file name must end with the UID number of the user that it's for, in my case the openldap user with UID=105. At least, that's the way it works on Debian lenny. Incidentally, with kstart 3.15, if the -o flag is used without -k, a segfault and a core dump will be the result. Thanks! Jaap ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
