[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Replication, Kerberos, SASL, TLS, slurpd





--On Wednesday, August 27, 2003 7:12 AM +0000 jim page <jim2z@hotmail.com> wrote:

Hello everyone,

I have some difficulties figuring out how to achieve a setup described in
the following scenario: I have two servers - server1 and server2. server1
is running an LDAP3.3-based application, which I configured to write to a
replication log (same as openldap). On server1, I have slurpd
"replicating" the entries to iPlanet DS running on server2. The
replication is running ok even with TLS. The thing I am concerned about
is storing a cleartext password in the configuration file for the slurpd
daemon. So I would like to use Kerberos for a single sign on (i.e. slurpd
on server1 authenticates just once) with the iPlanet DS running on
server2. How do I do this? One note though...i cannot write to the LDAP
application running on server1 nor use any other LDAP server on server1.

Hi Jim,

As you'll note, this is the openldap software list -- I'm not sure anyone here will have an answer for your question. You may wish to address this to a Sun support area.

I will note, that we do use kerberos for replication among our OpenLDAP servers without problem. The way that slurpd functions when running with kerberos is it uses its kerberos credentials to authenticate to the server each time it binds. That is not quite the same as single sign-on, and it is using SASL, which I don't believe Sun supports.

Our slurpd config for using kerberos is:

replica         host=ldap9.stanford.edu:389
               tls=yes bindmethod=sasl

binddn=cn=replicator,cn=service,cn=applications,dc=stanford,dc=e
du saslmech=gssapi

For starting up slurpd, our slurpd.init file has:

KRB5_KTNAME="FILE:/etc/leland/keytab.ldap"
export KRB5_KTNAME
KRB5CCNAME="FILE:/tmp/ldap_replicator.tkt"
export KRB5CCNAME

echo "slurpd service starting."
   /usr/local/lib/slurpd -t /var/tmp 1>/dev/console 2>&1

You'll need some process that goes and obtains the K5 ticket for slurpd.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html