[Fedora-directory-users] FDS / PAM Integration Questions

Richard Megginson rmeggins at redhat.com
Fri Feb 2 04:00:53 UTC 2007 

Jonathan Schreiter wrote:
>>   
>> Or, just use
>> nsSaslMapBaseDNTemplate: ou=People,dc=myexample,dc=com
>> nsSaslMapFilterTemplate: (uid=\1)
>>     
>
> Hi Richard,
> I found the root cause of my problems, and they are as follows (in case anyone else happens to be searching these archives).  I was using a keytab file that was readable only by root, while I was running the server as the default install user of nobody.  As soon as I opened read access to that user, all kerberos / gssapi / sasl mechanisms worked.  Also, the confusion I had earlier of if I should enter in the detail via the console was due to the fact I hadn't refreshed all after making the addition to the config - sasl -mapping - mymap entry with the nssaslmapping.  After I refreshed, this mapping appeared under the SASL Mapping in the configuration tab.  I realize this probably isn't the most secure way of doing this, so I'll probably change the default user that the server runs as.
>
> I have a few more questions regarding GSSAPI with FDS.
>
> 1) Because I have GSSAPI / SASL enabled, does this automatically enable encryption via GSSAPI?  It mentioned that it will do this in the documentation, but I was unable to find the details of this.
>   
Yes.  You can verify this by using tcpdump or ethereal/wireshark to 
sniff the traffic.
> 2) I've setup a second FDS to be act as a consumer (single master replication).  I've followed the administator's documentation and set a simple cn=replication manager, cn=config on both servers to act as the bind for replication (via replication agreement).  I've tested this and everything is working great (directory entries, GSSAPI, etc).  I would imagine that when the replication binds, the password is sent in clear text.  Is this true?  If I create a new user in the cn=config and create a new sasl mapping (uid=\1,cn=config) can I simply create a kerberos principal with the same name and use GSSAPI for the bind?  The same question as #1 above is will this session be encrypted via GSSAPI as well?
>   
Server to server GSSAPI does not currently work.  If you don't want to 
send unencrypted clear text passwords over the wire, your best bet is to 
set up SSL between the servers.
> Any help would be greatly appreciated.  Thanks!
> Jonathan
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20070201/bdcdebf1/attachment.bin>

More information about the Fedora-directory-users mailing list