Re: cross-replication, SASL

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 03:59 PM 1/8/01 -0800, Tomas Maly wrote:
>I was wondering if it was feasible to do "cross-replication"... I had
>the idea that let's say I have multiple LDAP servers and they all are
>masters, and all are running slurpd, and any change can occur on any
>server and replicate completely.  From how replication works, I think it
>may be able to work. I would have multiple replica statements in
>slapd.conf and all use some univeral way of authenicating, let's say via
>SASL/GSSAPI.

Well, technically, you don't need a universal method for authentication.
Each slurpd just needs to be able to authenticate to the server(s)
it is a client of.  If you have a configuration where
        server  ncs     replicas
        A       o=A     B
        B       o=B     C
        C       o=C     A

Each slurpd needs to be able to authenticate to the replica server.
There are numerous ways this can be done.  The easiest is to have
a universal authentication framework for all three servers and 
name contexts.

>In that case, the binddn of a replica statement for remote
>host A is some key that all ldap hosts have access to... I'm not sure
>how that would work, exactly. 
>
>Anyway, in general, how would replication (not necessarily
>cross-replication) work via SASL/GSSAPI?

slurpd is just another client using SASL/GSSAPI to authenticate
on the replica and hence should be viewed as a separate principal.

>What keys would
>host1.domain.com and host2.domain.com require on each specific keytab?

Each LDAP server needs it's own key with the principal
named "ldap/hostname@REALM".  Each SLURPD should have
it's own key named however you like.  The DN implied
by the SLURPD principal is what the updatedn needs to
be set to.

Kurt