[Pkg-openldap-devel] Bug#631120: Bug#631120: new information

Russ Allbery rra at debian.org
Tue Jun 21 18:05:58 UTC 2011


Tobias Mayer <tobias.mayer at hhi.fraunhofer.de> writes:

> I was able to get the overlay to load, but unfortunately not without a
> major drawback:

> by using slapd.conf i got slapd to write the following to syslog:
> Jun 21 16:16:52 iclinux1 slapd[2625]: smbk5pwd: unable to initialize krb5
> admin context: failed to open /var/lib/heimdal-kdc/m-key: Permission
> denied (13).

> after opening the permissions to the openldap user, the ldif applies just
> fine.

> for me this is not a big problem, since i don't use kerberos. But
> nonetheless, i think heimdal-kdc should have it's own group, and
> openldap should be a member there.

Definitely not as a default configuration.  Under normal circumstances,
there's no way that the LDAP server should have direct access to the KDC
database.  The KDC database is generally the single most
security-sensitive thing on whatever machine on which it's running.

That error message indicates that the plugin is using server-mode kadmin,
which surprises me.  Shouldn't it be using client-mode kadmin with a
keytab for a known principal that has the appropriate access in
kadmind.acl?

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>





More information about the Pkg-openldap-devel mailing list