[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP replication using GSSAPI for slave server auth



Hi all-

I've got a working OpenLDAP server (and a working Kerberos server) and I'd like to set up a replication server or two for the OpenLDAP server. I read the documentation on setting up a replication server and it doesn't look too tough IF you use 'simple' password authentication between the servers (like 'bindmethod=simple credentials=secret' in slapd.conf under the 'replica' heading).

But I'd like to not have the password in clear text in the slapd.conf file and use GSSAPI for slave server authentication instead. I'm assuming I need a replica entry that looks something like this:

replica host=ldapmaster.domain.com:389 starttls=critical
     bindmethod=sasl saslmech=GSSAPI
     authcId=host/ldapslave.domain.com@MYREALM.COM

but I'm not sure where to go from there.... on my KDC (which happens to be the same machine as my master OpenLDAP server) I've made these principals:

ldap/ldapmaster.domain.com@MYREALM.COM
ldap/ldapslave.domain.com@MYREALM.COM

I've also added both those to the keytab file on the master, then copied that keytab file to the slave. I guess I'm just not exactly sure how to get SASL working with this... I have SASL installed on all the machines in question but I'm having a hard time find a HOW-TO or something on where to go from here...

Does anyone have any pointers on how to do this? Or where I could find some quick, down and dirty instructions?

Or... Could I do it without SASL altogether, and somehow tell slapd to compare krb5.keytab files on the master and the slave to authenticate? Or do some other kind of "public/private" key pair thing to authenticate the slave to the master?

Thanks a million in advance!!

-erich