Re: LDAP/SASL/GSSAPI

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/04/2011 03:32 PM, Trever L. Adams wrote:
> Hello everyone,
> 
> I am having some difficulty. I am using dovecot. I have it working with
> LDAP as the backend for userdb. Unfortunately, the LDAP I am using is
> now requiring SASL binds (GSSAPI/Kerberos is what I am going for).
> 
> Dovecot uses OpenLDAP/Cyrus SASL (at least in Fedora). I can't seem to
> be able to convince it to use a keytab with service principals. It keeps
> trying to look in a KRB5CCNAME cache file or the standard one for each
> user. This is fine, other than I am not sure how to get a non-expiring
> ticket that way.
> 
> So, this is all LDAP client, not server.
> 
> Anyone have any ideas?


There's really no such thing as a non-expiring ticket. You always need
to re-authenticate periodically to get a new ticket. Many deployments
allow tickets to be "renewable", however. This means you can use your
existing TGT to authenticate to get the new ticket (during the renewal
period).

If you are using SSSD 1.5 or later to authenticate users through
Kerberos, there is a built-in functionality to enable auto-renewal of
kerberos tickets.

See the options krb5_renewable_lifetime and krb5_renew_interval in
sssd-krb5(5) (man sssd-krb5)

- -- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1UMlAACgkQeiVVYja6o6PsuQCgliUzZTcqnJx7B6s74ykmzhrm
1nsAnjT5GjQTlzLyFVU0TOGMHtpnLh22
=pyVq
-----END PGP SIGNATURE-----
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux