[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP replication using GSSAPI for slave server auth


  You will need to use the keytab to fetch a TGT for the user account
under which the OpenLDAP server is running.  Either a cron-job running
kinit, or k5start (first Google hit:
http://www.eyrie.org/~eagle/software/kstart/k5start.html ) should do the
trick.  Assuming you are using SyncRepl, you will need to do this on
each slave LDAP server.


On Wed, 2006-07-12 at 15:58 -0700, Erich Weiler wrote:
> Hi all-
> I've got a working OpenLDAP server (and a working Kerberos server) and 
> I'd like to set up a replication server or two for the OpenLDAP server. 
>   I read the documentation on setting up a replication server and it 
> doesn't look too tough IF you use 'simple' password authentication 
> between the servers (like 'bindmethod=simple credentials=secret' in 
> slapd.conf under the 'replica' heading).
> But I'd like to not have the password in clear text in the slapd.conf 
> file and use GSSAPI for slave server authentication instead.  I'm 
> assuming I need a replica entry that looks something like this:
> replica host=ldapmaster.domain.com:389 starttls=critical
>       bindmethod=sasl saslmech=GSSAPI
>       authcId=host/ldapslave.domain.com@MYREALM.COM
> but I'm not sure where to go from there....  on my KDC (which happens to 
> be the same machine as my master OpenLDAP server) I've made these 
> principals:
> ldap/ldapmaster.domain.com@MYREALM.COM
> ldap/ldapslave.domain.com@MYREALM.COM
> I've also added both those to the keytab file on the master, then copied 
> that keytab file to the slave.  I guess I'm just not exactly sure how to 
> get SASL working with this...  I have SASL installed on all the machines 
> in question but I'm having a hard time find a HOW-TO or something on 
> where to go from here...
> Does anyone have any pointers on how to do this?  Or where I could find 
> some quick, down and dirty instructions?
> Or...  Could I do it without SASL altogether, and somehow tell slapd to 
> compare krb5.keytab files on the master and the slave to authenticate? 
> Or do some other kind of "public/private" key pair thing to authenticate 
> the slave to the master?
> Thanks a million in advance!!
> -erich