[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: syncrepl + GSSAPI

--On Thursday, August 05, 2004 11:34 AM -0400 "Matthew J. Smith" <matt.smith@uconn.edu> wrote:


  I have searched the archives and Google with little luck, although
maybe I just haven't used the right keywords yet.  I am looking to
perform replication via syncrepl, using GSSAPI for authentication.  I
have GSSAPI working for user authentication already.

  With syncrepl, how do I get my consumer to obtain a ticket, using it's
keytab (default /etc/krb5.keytab for now, although I'd like to move
that), so that it can attach to my provider?

  I am considering a cron job on the consumer that issues a "kinit
--keytab=..." every so often, but that seems inelegant.

  Is there a way to get the syncrepl process to obtain it's own ticket
using the keytab?  I see a credentials=<password> option in the syncrepl
config -- is there a similar (undocumented?)  keytab=<keytabfile>

Any help is appreciated!

I've been testing syncRepl with GSSAPI.

I suggest you use the k5start utility:


and combine that with svcscan to create a process that will continually keep a ticket alive for you.

Then simply set the KRB5CCNAME environment variable in the startup script for SLAPD.


Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html