[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Heimdal/OpenLDAP/Samba howto and bugreport
A few comments...
If one were to add the suggested access statement:
access to *
by dn="uid=heimdal,dc=services,dc=padl,dc=com" write
before other access statements, then no other user (including
anonymous) can access anything (due to the implicit "by * none stop"
in all access statements). (If it was added after other access
statements it likely would have no effect (as access to * would
likely already be described). Also, it really dn.exact= instead of
dn=. A better access statement would be:
access to *
by dn.exact="uid=heimdal,dc=services,dc=padl,dc=com" write
by * none breakwith a note that this should be included above other statements.
Or:
access to *
by dn.exact="uid=heimdal,dc=services,dc=padl,dc=com" write
...(... indicating the admin needs to integrate this with their other
access statements).
Regarding commenting out sasl-secprops minssf=128, it might
be better to instead lower the minssf to 70. The base SSF of
ldapi:// is currently 71. We figured that use of ldapi:// was better
than weak encryption (<65) but not as good as stronger
encryption (>95), hence the 71. The ldapi:// SSF should really
be a configurable option. I'll add that to our TODO list.
Kurt
At 09:40 AM 5/31/2004, Love wrote:
>Tarjei Huse <tarjei@nu.no> writes:
>
>>> I would like to include it with the documtation we ship with heimdal, and I
>>> guess we should rebuild the htmlized info documtation every night so it
>>> happends.
>> Good :-)
>>
>>> If your howto don't fit into the info documetation in a good way, I can put
>>> them up on the website (on train right now, can't check).
>>
>> Ok, both things are good IMHO. I think we should decide on how to do the
>> configuration before I move the howto, but once that has been done, then
>> it should be included here and there.
>>
>> I'm planning to expand the section on using kerberos to include services
>> like ssh, cyrus-imapd and emailclients.
>
>So I've folded in most comments into the already existing document that was
>based on Luke Howards document, you can find a snapshot here (its all
>commited, so it will be in next snapshot).
>
>http://people.su.se/~lha/patches/heimdal/ldap-info-doc.txt
>
>The third point in your TroubleshootingGuide (missing krb5KeyVersionNumber)
>was a bug and is now fixed.
>
>Love
>