Re: multi-master syncrepl with sasl/gssapi authentication

[Quanah Gibson-Mount <quanah@zimbra.com>]

--On Wednesday, March 07, 2012 10:10 PM -0800 "Travis L. Bean" 
<travis.bean@assuretech.net> wrote:

> What value do I set the KRB5TICKET environment variable to? In all the
> documentation I have reviewed, I am not aware of the existence of a
> KRB5TICKET environment variable. Do you mean KRB5_KTNAME?
>
> On Debian Linux, I set KRB5_KTNAME with the following:
>
> sed -i "s|#export KRB5_KTNAME=/etc/krb5.keytab|export \
>   KRB5_KTNAME=/etc/ldap/ldap.keytab|" /etc/default/slapd
>
> K5start is started with the following:
>
> k5start -b -u ldap/${FQDN}@$KRB_REALM -f /etc/ldap/ldap.keytab \
>   -K 10 -l 24h -k /tmp/krb5cc_0 -o openldap


You may want to read over:

<http://www.openldap.org/lists/openldap-software/200608/msg00294.html>

You need to point slapd to the ticket *cache* not the keytab.  slapd itself 
won't obtain a ticket, that's the purpose of k5start.  I realize the 
variable I was thinking of is KRB5CCNAME. ;)

--Quanah


--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration