diff options
| author | Landon Fuller <landonf@plausible.coop> | 2013-04-19 16:12:44 -0400 |
|---|---|---|
| committer | Love Hornquist Astrand <lha@h5l.org> | 2013-04-24 16:21:15 -0700 |
| commit | 64341e9ec6a95e6f861843234b1dcf3ec8320eca (patch) | |
| tree | c04187846d779a7085c17941385c5095555d49e7 /doc | |
| parent | 96e90256757c73ccf349d144e410ddf651a74cbc (diff) | |
Document the new hdb-ldap* configuration options.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/setup.texi | 37 |
1 files changed, 29 insertions, 8 deletions
diff --git a/doc/setup.texi b/doc/setup.texi index 6c34d77d9..cc8014ee4 100644 --- a/doc/setup.texi +++ b/doc/setup.texi @@ -1053,7 +1053,8 @@ Its also possible to configure the ldap backend as a shared module, see option --hdb-openldap-module to configure. @item -Configure OpenLDAP with @kbd{--enable-local} to enable the local transport. +Optionally configure OpenLDAP with @kbd{--enable-local} to enable the +local transport. @item Add the hdb schema to the LDAP server, it's included in the source-tree @@ -1064,8 +1065,8 @@ include /usr/local/etc/openldap/schema/hdb.schema @end example @item -Configure the LDAP server ACLs to accept writes from clients over the -local transport. For example: +Configure the LDAP server ACLs to accept writes from clients. For +example: @example access to * @@ -1085,10 +1086,15 @@ krb5Principal aux object with krb5PrincipalName set so that the Another option is to create an admins group and add the dn to that group. -Since Heimdal talks to the LDAP server over a UNIX domain socket, and -uses external sasl authentication, it's not possible to require -security layer quality (ssf in cyrus-sasl lingo). So that requirement -has to be turned off in OpenLDAP @command{slapd} configuration file +If a non-local LDAP connection is used, the authz-regexp is not +needed as Heimdal will bind to LDAP over the network using +provided credentials. + +Since Heimdal talks to the LDAP server over a UNIX domain socket when +configured for ldapi:///, and uses external sasl authentication, it's +not possible to require security layer quality (ssf in cyrus-sasl lingo). +So that requirement has to be turned off in OpenLDAP @command{slapd} +configuration file @file{slapd.conf}. @example @@ -1116,9 +1122,13 @@ enter the path to the kadmin acl file: @example [kdc] + # Optional configuration + hdb-ldap-structural-object = inetOrgPerson + hdb-ldap-url = ldapi:/// (default), ldap://hostname or ldaps://hostname + hdb-ldap-secret-file = /path/to/file/containing/ldap/credentials + database = @{ dbname = ldap:ou=KerberosPrincipals,dc=example,dc=com - hdb-ldap-structural-object = inetOrgPerson acl_file = /path/to/kadmind.acl mkey_file = /path/to/mkey @} @@ -1129,7 +1139,18 @@ directory to have the raw keys inside it. The hdb-ldap-structural-object is not necessary if you do not need Samba comatibility. +If connecting to a server over a non-local transport, the @samp{hdb-ldap-url} +and @samp{hdb-ldap-secret-file} options must be provided. The +@samp{hdb-ldap-secret-file} must contain the bind credentials: + +@example +[kdc] + hdb-ldap-bind-dn = uid=heimdal,dc=services,dc=example,dc=com + hdb-ldap-bind-password = secretBindPassword +@end example +The @samp{hdb-ldap-secret-file} and should be protected with appropriate +file permissions @item Once you have built Heimdal and started the LDAP server, run kadmin |