Hello I'm currently trying to use Active Directory with Unix extensions to store UID, GID and homedir and retrieve them with ldap I don't want to allow anonymous bindings and I would rather not use TLS and manage a PKI. So I'm trying to use SASL to do a Kerberos authentication for Dovecot against AD LDAP. I'm currently getting GSSAPI errors about the lack of "credentials cache". Looking at similar cases where services act as clients, like using nss_ldap for unix host accounts, I understand the credentials cache should be initiated by an external program (cron and startup script), at least with the TGT and maybe the TGS for ldap. Since usually kerberosv5 cache is based on the user id ( /tmp/krb5cc_0 for root) there's an option in ldap.conf (krb5_ccname) to set the filename (/etc/.ldapcache in nss_ldap tutorials) for this cache. Is there any way to do this with dovecot-ldap.conf or should I try to use "auth user" default cache filename ? Thanks in advance
Hello I'm currently trying to use Active Directory with Unix extensions to store UID, GID and homedir and retrieve them with ldap I don't want to allow anonymous bindings and I would rather not use TLS and manage a PKI. So I'm trying to use SASL to do a Kerberos authentication for Dovecot against AD LDAP. I'm currently getting GSSAPI errors about the lack of "credentials cache". Looking at similar cases where services act as clients, like using nss_ldap for unix host accounts, I understand the credentials cache should be initiated by an external program (cron and startup script), at least with the TGT and maybe the TGS for ldap. Since usually kerberosv5 cache is based on the user id ( /tmp/krb5cc_0 for root) there's an option in ldap.conf (krb5_ccname) to set the filename (/etc/.ldapcache in nss_ldap tutorials) for this cache. Is there any way to do this with dovecot-ldap.conf or should I try to use "auth user" default cache filename ? Thanks in advance
Hello I'm currently trying to use Active Directory with Unix extensions to store UID, GID and homedir and retrieve them with ldap. I don't want to allow anonymous bindings and I would rather not use TLS and manage a PKI. So I'm trying to use SASL to do a Kerberos authentication for Dovecot against AD LDAP. I'm currently getting GSSAPI errors about the lack of "credentials cache". Looking at similar cases where services act as clients, like using nss_ldap for unix host accounts, I understand the credentials cache should be initiated by an external program (cron and startup script), at least with the TGT and maybe the TGS for ldap. Since usually kerberosv5 cache is based on the user id ( /tmp/krb5cc_0 for root) there's an option in ldap.conf (krb5_ccname) to set the filename (/etc/.ldapcache in nss_ldap tutorials) for this cache. Is there any way to do this with dovecot-ldap.conf or should I try to use "auth user" default cache filename ? Thanks in advance
On Fri, 2007-10-05 at 22:17 +0200, olivier castan wrote:> Since usually kerberosv5 cache is based on the user id ( /tmp/krb5cc_0 > for root) there's an option in ldap.conf (krb5_ccname) to set the > filename (/etc/.ldapcache in nss_ldap tutorials) for this cache. > Is there any way to do this with dovecot-ldap.confI've no idea how I would even pass such a setting to Kerberos. I guess it would be in some environment variable.> or should I try to use "auth user" default cache filename ?Probably better if it works. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20071021/63fc88f3/attachment-0002.bin>