oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Document the new hdb-ldap* configuration options.

Browse Source 
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
This commit is contained in:
Landon Fuller
2013-04-19 16:12:44 -04:00
committed by Love Hornquist Astrand
parent 96e9025675
commit 64341e9ec6
1 changed files with 29 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
doc/setup.texi
View File

@@ -1053,7 +1053,8 @@ Its also possible to configure the ldap backend as a shared module,
see option --hdb-openldap-module to configure. see option --hdb-openldap-module to configure.
@item @item
Configure OpenLDAP with @kbd{--enable-local} to enable the local transport. Optionally configure OpenLDAP with @kbd{--enable-local} to enable the
local transport.
@item @item
Add the hdb schema to the LDAP server, it's included in the source-tree Add the hdb schema to the LDAP server, it's included in the source-tree
@@ -1064,8 +1065,8 @@ include /usr/local/etc/openldap/schema/hdb.schema
@end example @end example
@item @item
Configure the LDAP server ACLs to accept writes from clients over the Configure the LDAP server ACLs to accept writes from clients. For
local transport. For example: example:
@example @example
access to * access to *
@@ -1085,10 +1086,15 @@ krb5Principal aux object with krb5PrincipalName set so that the
Another option is to create an admins group and add the dn to that Another option is to create an admins group and add the dn to that
group. group.
Since Heimdal talks to the LDAP server over a UNIX domain socket, and If a non-local LDAP connection is used, the authz-regexp is not
uses external sasl authentication, it's not possible to require needed as Heimdal will bind to LDAP over the network using
security layer quality (ssf in cyrus-sasl lingo). So that requirement provided credentials.
has to be turned off in OpenLDAP @command{slapd} configuration file
Since Heimdal talks to the LDAP server over a UNIX domain socket when
configured for ldapi:///, and uses external sasl authentication, it's
not possible to require security layer quality (ssf in cyrus-sasl lingo).
So that requirement has to be turned off in OpenLDAP @command{slapd}
configuration file
@file{slapd.conf}. @file{slapd.conf}.
@example @example
@@ -1116,9 +1122,13 @@ enter the path to the kadmin acl file:
@example @example
[kdc] [kdc]
# Optional configuration
hdb-ldap-structural-object = inetOrgPerson
hdb-ldap-url = ldapi:/// (default), ldap://hostname or ldaps://hostname
hdb-ldap-secret-file = /path/to/file/containing/ldap/credentials
database = @{ database = @{
dbname = ldap:ou=KerberosPrincipals,dc=example,dc=com dbname = ldap:ou=KerberosPrincipals,dc=example,dc=com
hdb-ldap-structural-object = inetOrgPerson
acl_file = /path/to/kadmind.acl acl_file = /path/to/kadmind.acl
mkey_file = /path/to/mkey mkey_file = /path/to/mkey
@} @}
@@ -1129,7 +1139,18 @@ directory to have the raw keys inside it. The
hdb-ldap-structural-object is not necessary if you do not need Samba hdb-ldap-structural-object is not necessary if you do not need Samba
comatibility. comatibility.
If connecting to a server over a non-local transport, the @samp{hdb-ldap-url}
and @samp{hdb-ldap-secret-file} options must be provided. The
@samp{hdb-ldap-secret-file} must contain the bind credentials:
@example
[kdc]
hdb-ldap-bind-dn = uid=heimdal,dc=services,dc=example,dc=com
hdb-ldap-bind-password = secretBindPassword
@end example
The @samp{hdb-ldap-secret-file} and should be protected with appropriate
file permissions
@item @item
Once you have built Heimdal and started the LDAP server, run kadmin Once you have built Heimdal and started the LDAP server, run kadmin