Re: Secure replication, using KerberosV keytab (or SASL?)

[Turbo Fredriksson <turbo@bayour.com>]

Quoting GOMBAS Gabor <gombasg@inf.elte.hu>:

> On Mon, Mar 19, 2001 at 10:10:11PM +0100, Turbo Fredriksson wrote:
> 
> > I'm currently working on getting secure replication, using TLS/SSL
> > and SASL/KerberosV to work... Using my knowledge from OpenLDAP1, I
> > did this on the master server:

[...]

> > But if I'm using 'bindmethod=sasl', then I can't use a keytab...?
> 
> I'm running kinit from cron to maintain a credential cache file. I
> think the GSSAPI library in Heimdal-0.3e can use a keytab directly, but
> I'm still using Heimdal-0.3d.

It seems that the MIT KerberosV kinit have the -k option to... I'll
try this.

So, what about this then, is this correctly understood?

Master server:
----- s n i p -----
replica         host=localhost:3391
                tls=yes
                bindmethod=sasl
                saslmech=GSSAPI
replogfile      /var/lib/ldap/replog
----- s n i p -----

Start script:
----- s n i p -----
kinit -k -t /etc/ldap/slurpd.keytab
[start slapd as usual]
----- s n i p -----

Cron script (every 24 hours?)
----- s n i p -----
kinit -k -t /etc/ldap/slurpd.keytab
----- s n i p -----

That keytab are created like this:
----- s n i p -----
kadmin.local -q "addprinc -randkey replicator@<MY REALM>"
kadmin.local -q "ktadd -k /etc/ldap/slurpd.keytab replicator"
----- s n i p -----

Then all I have to do is to make sure 'replicate@<RELM>' have
write access... Should I do that with the usuall ACL's, or how
would I write a 'updatedn' config option for this?

-- 
 Turbo     __ _     Debian GNU     Unix _IS_ user friendly - it's just 
 ^^^^^    / /(_)_ __  _   ___  __  selective about who its friends are 
         / / | | '_ \| | | \ \/ /   Debian Certified Linux Developer  
  _ /// / /__| | | | | |_| |>  <  Turbo Fredriksson   turbo@tripnet.se
  \\\/  \____/_|_| |_|\__,_/_/\_\ Stockholm/Sweden