Re: syncrepl + GSSAPI

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Thursday, August 05, 2004 11:34 AM -0400 "Matthew J. Smith" 
<matt.smith@uconn.edu> wrote:

> Hello-
>
>   I have searched the archives and Google with little luck, although
> maybe I just haven't used the right keywords yet.  I am looking to
> perform replication via syncrepl, using GSSAPI for authentication.  I
> have GSSAPI working for user authentication already.
>
>   With syncrepl, how do I get my consumer to obtain a ticket, using it's
> keytab (default /etc/krb5.keytab for now, although I'd like to move
> that), so that it can attach to my provider?
>
>   I am considering a cron job on the consumer that issues a "kinit
> --keytab=..." every so often, but that seems inelegant.
>
>   Is there a way to get the syncrepl process to obtain it's own ticket
> using the keytab?  I see a credentials=<password> option in the syncrepl
> config -- is there a similar (undocumented?)  keytab=<keytabfile>
> option?
>
>   Any help is appreciated!

I've been testing syncRepl with GSSAPI.

I suggest you use the k5start utility:

<http://www.eyrie.org/~eagle/software/kstart/>

and combine that with svcscan to create a process that will continually 
keep a ticket alive for you.

Then simply set the KRB5CCNAME environment variable in the startup script 
for SLAPD.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html