Datasheet
“main” (Installation and Administration) — 2004/6/25 — 13:29 — page 678 — #704
i
i
i
i
i
i
i
i
To enable Kerberos to bind to the OpenLDAP server, create a principal
ldap/earth.sample.com and add that to the keytab:
kadmin add -r ldap/earth.sample.com
ktutil get ldap/earth.sample.com
By default, the LDAP server slapd runs as user and group ldap, while the
keytab file is readable by root only. Therefore, either change the LDAP
configuration so the server runs as root or make the keytab file readable
by group ldap.
To run slapd as root, edit /etc/sysconfig/openldap. Disable the
OPENLDAP_USER and OPENLDAP_GROUP variables by putting a comment
character in front of them.
To make the keytab file readable by group LDAP, execute
chgrp ldap /etc/krb5.keytab
chmod 640 /etc/krb5.keytab
Neither solution is perfect. However, at the moment it is not possible to
configure OpenLDAP to make it use a separate keytab file. Finally, restart
the LDAP server using rcldap restart.
Using Kerberos Authentication with LDAP
You should now be able to use tools, such as ldapsearch, with Kerberos
authentication automatically.
ldapsearch -b ou=People,dc=suse,dc=de ’(uid=newbie)’
SASL/GSSAPI authentication started
SASL SSF: 56
SASL installing layers
[...]
# newbie, People, suse.de
dn: uid=newbie,ou=People,dc=suse,dc=de
uid: newbie
cn: Olaf Kirch
[...]
678
26.6. Installing and Administering Kerberos