On Sat, 2010-06-12 at 18:31 +0200, Daniel Dehennin wrote: > I provide a patch to start k5start when nslcd is configured for SASL > GSSAPI kerberos authentication.
Thanks for your patch. If I understand correctly this allows nslcd to authenticate with Kerberos to the LDAP server and keep the Kerberos ticket active (I'm not very familiar with Kerberos). > Handle kerberos ticket cache creation with k5start. > > * debian/nslcd.init (NSLCD_DEFAULT): Default configuration file. > Add kerberos specific options: K5START_DESC, K5START_BIN, > K5START_PIDFILE, KRB5_PRINCIPAL, KRB5_KEYTAB, KRB5_CCREFRESH, KRB5_MODE. > Take care of badly configured nslcd.conf: use_sasl requires > sasl_mech=GSSAPI wich requires k5start binary. > Restrict tiket cache type to file based. > Start k5start before starting nslcd. > Stop k5start after stopping nslcd. The change to the init script is a bit large. Is there any way to make it simpler? Currently it more than doubles the number of lines of code. Also, is there any reasonable configuration where you have use_sasl in nslcd.conf but don't use k5start? > * debian/nslcd.default: Kerberos configuration used by init script. > > * debian/nslcd.conffile: Put nslcd.default in /etc/default/. > > * debian/control (Recommends): Add k5start. I think this should be kstart. Anyway, I think this is more of a Suggests than a Recommends because this is likely only useful in a limited number of environments. Note that the SASL-relation options in nslcd are currently not completely supported because I don't have SASL-related test in my test environment. This makes it a bit weird to support them in the init script. Do you think the options (use_sasl, sasl_mech, sasl_realm, sasl_authcid, sasl_authzid and sasl_secprops) work as they are supposed to? If this is the case I will re-add them to the manual page and remove the warnings during start-up. Can you check the commented out text to see if it is still correct? Thanks. -- -- arthur - [email protected] - http://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part
