[Pkg-openldap-devel] Bug#631120: Bug#631120: new information
Russ Allbery
rra at debian.org
Tue Jun 21 18:05:58 UTC 2011
Tobias Mayer <tobias.mayer at hhi.fraunhofer.de> writes:
> I was able to get the overlay to load, but unfortunately not without a
> major drawback:
> by using slapd.conf i got slapd to write the following to syslog:
> Jun 21 16:16:52 iclinux1 slapd[2625]: smbk5pwd: unable to initialize krb5
> admin context: failed to open /var/lib/heimdal-kdc/m-key: Permission
> denied (13).
> after opening the permissions to the openldap user, the ldif applies just
> fine.
> for me this is not a big problem, since i don't use kerberos. But
> nonetheless, i think heimdal-kdc should have it's own group, and
> openldap should be a member there.
Definitely not as a default configuration. Under normal circumstances,
there's no way that the LDAP server should have direct access to the KDC
database. The KDC database is generally the single most
security-sensitive thing on whatever machine on which it's running.
That error message indicates that the plugin is using server-mode kadmin,
which surprises me. Shouldn't it be using client-mode kadmin with a
keytab for a known principal that has the appropriate access in
kadmind.acl?
--
Russ Allbery (rra at debian.org) <http://www.eyrie.org/~eagle/>
More information about the Pkg-openldap-devel
mailing list