Comments on LDAP support in heimdal

[Lars Kellogg-Stedman <lars@oddbit.com>]

Howdy,

While setting up Heimdal kerberos with the LDAP backend, I ran into a few
stumbling blocks.  Everything is working now, but I'm curious what other
folks think about these issues:

(1) Problems with LDAP hdb as a dynamic module.

I originally built heimdal with --enable-hdb-openldap-module.  I was using
the following database configuration:

  [kdc]
    database = {
      realm = EXAMPLE.COM
      dbname = ldap:ou=dc=example,dc=com
      mkey_file = /var/heimdal/m-key
    }

Running 'kadmin -l', and then 'init EXAMPLE.COM' simply created a *file*
called "ldap:dc=example,dc=com" in the current working directory.
It didn't look as if any attempt was made to load the LDAP hdb backend.

Building without --enable-hdb-openldap-module fixed this problem.  I've got
two questions:

  (a) Is this (LDAP hdb as a loadable module) currently expected to work?

  (b) wouldn't it make more sense to treat a dbname of ldap:.. as an error
  if we can't load the appropriate hdb module?

(2) Problems with log_file.

When using the LDAP backend, the logic that creates the name of the log
file is arguably sub-optimal -- as in (1), it simply appends ".log" to
dbname and creates the file in the current working directory.  When using
non-file backends, might it make more sense to create the log file under
/var/heimdal?  For example, given dbname=ldap:dc=example,dc=com, maybe
default to /var/heimdal/_ldap_dc=example_dc=com -- that is, replace
"special" characters with "_", and maybe add a leading "_" to indicate a
generated filename.  Or at the very least, exit with an error if
log_file hasn't been given explicitly in the configuration.

-- Lars

--
Lars Kellogg-Stedman <lars@larsshack.org>