-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/04/2011 03:32 PM, Trever L. Adams wrote: > Hello everyone, > > I am having some difficulty. I am using dovecot. I have it working with > LDAP as the backend for userdb. Unfortunately, the LDAP I am using is > now requiring SASL binds (GSSAPI/Kerberos is what I am going for). > > Dovecot uses OpenLDAP/Cyrus SASL (at least in Fedora). I can't seem to > be able to convince it to use a keytab with service principals. It keeps > trying to look in a KRB5CCNAME cache file or the standard one for each > user. This is fine, other than I am not sure how to get a non-expiring > ticket that way. > > So, this is all LDAP client, not server. > > Anyone have any ideas? There's really no such thing as a non-expiring ticket. You always need to re-authenticate periodically to get a new ticket. Many deployments allow tickets to be "renewable", however. This means you can use your existing TGT to authenticate to get the new ticket (during the renewal period). If you are using SSSD 1.5 or later to authenticate users through Kerberos, there is a built-in functionality to enable auto-renewal of kerberos tickets. See the options krb5_renewable_lifetime and krb5_renew_interval in sssd-krb5(5) (man sssd-krb5) - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1UMlAACgkQeiVVYja6o6PsuQCgliUzZTcqnJx7B6s74ykmzhrm 1nsAnjT5GjQTlzLyFVU0TOGMHtpnLh22 =pyVq -----END PGP SIGNATURE----- -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
