[Date Prev][Date Next]
Re: Replication slapd.conf example?
--On Wednesday, June 11, 2003 10:12 AM -0400 Jonathan Higgins
Ive been working on getting replication using k5, and have a few
questions since this was brought up.
when you start slapd/slurpd on your master, how do you associate the
replicator principal with the server daemons.. Im assuming by some other
documentation thats available on the web, that you have the replicator
account in the keytab of the master, and initiate a kinit at some point.
Does the replicator account need to be in the keytab of each slave also?
... oh.. and is your sasl regex the standard uid=(.*),cn=GSSAPI,cn=auth
To associate the replicator principle with slurpd, we have in our slurpd
export KRB5_KTNAME KRB5CCNAME
case $1 in
start) /usr/local/lib/slurpd -t /var/tmp 1>/dev/console 2>&1
We use a utility called supervise to get and maintain our K5 ticket for us.
I don't know if you are familiar with the utility, but it is essentially a
replacement for init that is quite handy (keeps our inittab clean too).
So we have in /service/k5start/ a script called run that does the following:
exec /usr/local/bin/k5start -u service -i ldap -r stanford.edu -f
/etc/leland/keytab.ldap -k /tmp/ldap_replicator.tkt -l 10h -K 30
Therefore we are always guarunteed a valid ticket.
For the SASL part, we do the following:
As a part of our database, we have the following entry:
In slapd.conf, we have the following regexp:
This way, when slurpd binds to the slave, it gets mapped to the replicator
Senior Systems Administrator
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html