[Date Prev][Date Next]
OpenLDAP replication using GSSAPI for slave server auth
I've got a working OpenLDAP server (and a working Kerberos server) and
I'd like to set up a replication server or two for the OpenLDAP server.
I read the documentation on setting up a replication server and it
doesn't look too tough IF you use 'simple' password authentication
between the servers (like 'bindmethod=simple credentials=secret' in
slapd.conf under the 'replica' heading).
But I'd like to not have the password in clear text in the slapd.conf
file and use GSSAPI for slave server authentication instead. I'm
assuming I need a replica entry that looks something like this:
replica host=ldapmaster.domain.com:389 starttls=critical
but I'm not sure where to go from there.... on my KDC (which happens to
be the same machine as my master OpenLDAP server) I've made these
I've also added both those to the keytab file on the master, then copied
that keytab file to the slave. I guess I'm just not exactly sure how to
get SASL working with this... I have SASL installed on all the machines
in question but I'm having a hard time find a HOW-TO or something on
where to go from here...
Does anyone have any pointers on how to do this? Or where I could find
some quick, down and dirty instructions?
Or... Could I do it without SASL altogether, and somehow tell slapd to
compare krb5.keytab files on the master and the slave to authenticate?
Or do some other kind of "public/private" key pair thing to authenticate
the slave to the master?
Thanks a million in advance!!