[Pkg-openldap-devel] Bug#412017: Bug#412017: slapd: Add an option to specify the Kerberos keytab to use

[Steve Langasek]

On Fri, Jun 01, 2007 at 04:52:56PM -0700, Russ Allbery wrote:
> > I'm using OpenLDAP with GSSAPI authentication.

> > Is it possible to specify the keytab file to use with an option like:
> > keytab-file /etc/ldap/ldap.keytab

> > for example ?

> > It will permit to use different keytab for each services, for now I add
> > export KRB5_KTNAME="FILE:/etc/ldap/ldap.keytab"

> > to the /etc/default/slapd file.

> GSSAPI doesn't really expose an API to set the keytab to use, and
> OpenLDAP's use of GSSAPI is additional through several levels of
> indirection through various libraries, so it would be difficult to
> implement this as a slapd.conf option (apart from having slapd set the
> environment variable itself, which seems like a hack).

> Setting KRB5_KTNAME is really the supported mechanism for this.

> I've added a commented-out example in /etc/default/slapd for setting this
> variable as documentation.

Yep, this is what I'm doing too FWIW, I agree setting an example is the best
solution here.

I'll go back to silently watching your great triage work now :)

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon at debian.org                                   http://www.debian.org/