[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP replication using GSSAPI for slave server auth



Hi Matt,

I think I'm almost there!

I added a similar entry to my slave server, got my keytabs set up, crontabs set up, etc.

I'm wondering how the master server knows to accept the slave's authentication? Do I need something like:

overlay syncprov
syncprov-checkpoint 100 60
syncprov-sessionlog 100

and something like.....

access to *
     by self write
     by dn="cn=Manager,dc=soe,dc=ucsc,dc=edu"  write
     by <some kind of entry regarding gssapi ldap/slave.domain.com auth?>
     by *   read

in the master LDAP server's slapd.conf file?

Do you have access entries for your slaves in slapd.conf on your master server?

Also, when you had everything set up correctly, did the slave automatically populate /var/lib/ldap with the databases as soon as slapd started up?

Thanks a million again for your help/hints on this!

ciao, erich

Smith, Matt wrote:
Erich-

  Here is the relevant snippet from my slave's syncrepl stanza (OL 2.2 -
syntax may have changed for 2.3) :

syncrepl rid=8
        provider=ldap://ldap0.uconn.edu
        starttls=critical
        type=refreshAndPersist
        retry=300,+
        searchbase="dc=uconn,dc=edu"
        filter="(objectClass=*)"
	attrs="*,+"
        scope=sub
        schemachecking=on
        updatedn="cn=root,dc=uconn,dc=edu"
        bindmethod=sasl
        saslmech=gssapi
        authcid=ldap/ldap8.uconn.edu@UCONN.EDU

I  have a cron job periodically refresh my kerberos ticket using:
kinit -c /tmp/krb5cc_slapd -t /etc/openldap/ldap.keytab
ldap/ldap8.uconn.edu@UCONN.EDU

This does avoid the use of slurpd.

HTH,
-Matt


On Thu, 2006-07-13 at 08:03 -0700, Erich Weiler wrote:
Matt-

I think I see what you're getting at. The k5start tool looks extremely cool and I think I'll use that. Can I skip using SASL to use this method of authentication? Or do I still need something like:

bindmethod=sasl saslmech=GSSAPI

in my syncrepl entry in slapd.conf?

Also, if I use SyncRep can I skip all the stuff about setting up replication with slurpd? That would be very nice as that slurpd stuff looked kind of sticky.

Sorry about the probably basic questions, I'm kind of new to this stuff and am picking it up on the way.... :)

ciao, erich

Matthew J. Smith wrote:
Erich-

  You will need to use the keytab to fetch a TGT for the user account
under which the OpenLDAP server is running.  Either a cron-job running
kinit, or k5start (first Google hit:
http://www.eyrie.org/~eagle/software/kstart/k5start.html ) should do the
trick.  Assuming you are using SyncRepl, you will need to do this on
each slave LDAP server.

HTH,
-Matt

-- =================================== Erich Weiler UNIX Systems Administrator School of Engineering University of California Santa Cruz weiler@soe.ucsc.edu ===================================