Re: libnss-ldap authenticate with host keytab?

Joel,

>I'm working on finalizing our setup here, but have this one remaining issue. I 
>can't seem to get libnss-ldap to bind using the krb5.keytab entry for the 
>host principal. Am I approaching this from the wrong direction, or am I just 
>missing a simple switch?
>
>Anonymous bind is disabled (2003 Server AD), and I would *strongly* like to 
>avoid having a readable dn/password in libnss-ldap.conf and thought that 
>using the existing host/hosts.fqdn.com principal would be best, either via 
>Kerberos directly, or more likely SASL.
>
>I'd appreciate any pointers/comments/ideas.

If you're using Heimdal, suggest you use the Kerberos Credential Manager
(kcm) dameon, which will automatically maintain a credentials cache for
the host principal.

To configure, add the following to /etc/krb5.conf:

---CUT HERE---
[kcm]
        system_ccache = {
                principal = CLIENT$
                spn_aliases = host/client.ischool.washington.edu
        }
---CUT HERE---

(replacing CLIENT with the client hostname), and the following to 
/etc/ldap.conf:

---CUT HERE---
krb5_ccname KCM:SYSTEM
---CUT HERE---

Then start kcm with "kcm --detach".

cheers,

-- Luke

--