[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Replication slapd.conf example?





--On Wednesday, June 11, 2003 10:12 AM -0400 Jonathan Higgins <jhiggins@kennesaw.edu> wrote:

Ive been working on getting replication using k5, and have a few
questions since this was brought up.

when you start slapd/slurpd on your master, how do you associate the
replicator principal with the server daemons.. Im assuming by some other
documentation thats available on the web, that you have the replicator
account in the keytab of the master, and initiate a kinit at some point.
Does the replicator account need to be in the keytab of each slave also?
... oh.. and is your sasl regex the standard uid=(.*),cn=GSSAPI,cn=auth
uid=$1,ou=users,dc=example,dc=com

Hi Jonathon,

To associate the replicator principle with slurpd, we have in our slurpd start script:

KRB5_KTNAME="/etc/leland/keytab.ldap"
KRB5CCNAME="FILE:/tmp/ldap_replicator.tkt"
export KRB5_KTNAME KRB5CCNAME

case $1 in
start) /usr/local/lib/slurpd -t /var/tmp 1>/dev/console 2>&1

etc.

We use a utility called supervise to get and maintain our K5 ticket for us.

I don't know if you are familiar with the utility, but it is essentially a replacement for init that is quite handy (keeps our inittab clean too).

So we have in /service/k5start/ a script called run that does the following:

exec /usr/local/bin/k5start -u service -i ldap -r stanford.edu -f /etc/leland/keytab.ldap -k /tmp/ldap_replicator.tkt -l 10h -K 30

Therefore we are always guarunteed a valid ticket.

For the SASL part, we do the following:

As a part of our database, we have the following entry:

dn: cn=replicator,cn=service,cn=applications,dc=stanford,dc=edu
objectClass: applicationProcess
objectClass: krb5Principal
cn: Replicator
krb5PrincipalName: service/ldap@stanford.edu

In slapd.conf, we have the following regexp:

sasl-regexp uid=service/(.*),cn=stanford.edu,cn=gssapi,cn=auth ldaps:///cn=Service,cn=Applications,dc=stanford,dc=edu??sub?krb5PrincipalNa
me=service/$1@stanford.edu


This way, when slurpd binds to the slave, it gets mapped to the replicator entry.

--Quanah



--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html