LDAP/SASL/GSSAPI
Stephen Gallagher
sgallagh at redhat.com
Thu Feb 10 18:45:36 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/04/2011 03:32 PM, Trever L. Adams wrote:
> Hello everyone,
>
> I am having some difficulty. I am using dovecot. I have it working with
> LDAP as the backend for userdb. Unfortunately, the LDAP I am using is
> now requiring SASL binds (GSSAPI/Kerberos is what I am going for).
>
> Dovecot uses OpenLDAP/Cyrus SASL (at least in Fedora). I can't seem to
> be able to convince it to use a keytab with service principals. It keeps
> trying to look in a KRB5CCNAME cache file or the standard one for each
> user. This is fine, other than I am not sure how to get a non-expiring
> ticket that way.
>
> So, this is all LDAP client, not server.
>
> Anyone have any ideas?
There's really no such thing as a non-expiring ticket. You always need
to re-authenticate periodically to get a new ticket. Many deployments
allow tickets to be "renewable", however. This means you can use your
existing TGT to authenticate to get the new ticket (during the renewal
period).
If you are using SSSD 1.5 or later to authenticate users through
Kerberos, there is a built-in functionality to enable auto-renewal of
kerberos tickets.
See the options krb5_renewable_lifetime and krb5_renew_interval in
sssd-krb5(5) (man sssd-krb5)
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1UMlAACgkQeiVVYja6o6PsuQCgliUzZTcqnJx7B6s74ykmzhrm
1nsAnjT5GjQTlzLyFVU0TOGMHtpnLh22
=pyVq
-----END PGP SIGNATURE-----
More information about the users
mailing list