Re: errant SASL/GSSAPI setup?

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Wednesday, August 30, 2006 10:19 AM -0400 "Allan E. Johannesen" 
<aej@WPI.EDU> wrote:

> I've been using rootdn passwords over TLS with slurpd and since switching
> to syncrepl.  Seeing a posting by Quanah Gibson-Mount
> <quanah@stanford.edu> some weeks ago about k5start and KRB5CCNAME, I was
> inspired to try to make the switch.
>
> I grabbed kstart-3.5 and installed it and installed a sasl-regexp in the
> LDAP master:

> So far, everything looks good.  An update went through and the ldap
> ticket was established.  However, after the ticket expires, a subsequent
> update does not take place and a new ldap ticket isn't obtained.

I'd take a look at why you haven't set up kstart to continually refresh the 
ticket, so that it never expires... That's part of the point of using it.

See daemontools.  Here is the ticket I use with daemontools to continually 
keep the K5 ticket active.

#!/bin/sh
# /service/k5start/run -- Run kstart to maintain our ticket for LDAP binds.
# $Id: run,v 1.2 2006/08/03 20:02:07 quanah Exp $

HOSTNAME=`hostname`

exec /usr/bin/k5start -u ldap -i $HOSTNAME -r stanford.edu \
   -f /etc/krb5.keytab -k /var/run/ldap_syncreplica.tkt -l 10h -K 30


--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html