[Date Prev][Date Next]
Re: OpenLDAP replication using GSSAPI for slave server auth
You will need to use the keytab to fetch a TGT for the user account
under which the OpenLDAP server is running. Either a cron-job running
kinit, or k5start (first Google hit:
http://www.eyrie.org/~eagle/software/kstart/k5start.html ) should do the
trick. Assuming you are using SyncRepl, you will need to do this on
each slave LDAP server.
On Wed, 2006-07-12 at 15:58 -0700, Erich Weiler wrote:
> Hi all-
> I've got a working OpenLDAP server (and a working Kerberos server) and
> I'd like to set up a replication server or two for the OpenLDAP server.
> I read the documentation on setting up a replication server and it
> doesn't look too tough IF you use 'simple' password authentication
> between the servers (like 'bindmethod=simple credentials=secret' in
> slapd.conf under the 'replica' heading).
> But I'd like to not have the password in clear text in the slapd.conf
> file and use GSSAPI for slave server authentication instead. I'm
> assuming I need a replica entry that looks something like this:
> replica host=ldapmaster.domain.com:389 starttls=critical
> bindmethod=sasl saslmech=GSSAPI
> but I'm not sure where to go from there.... on my KDC (which happens to
> be the same machine as my master OpenLDAP server) I've made these
> I've also added both those to the keytab file on the master, then copied
> that keytab file to the slave. I guess I'm just not exactly sure how to
> get SASL working with this... I have SASL installed on all the machines
> in question but I'm having a hard time find a HOW-TO or something on
> where to go from here...
> Does anyone have any pointers on how to do this? Or where I could find
> some quick, down and dirty instructions?
> Or... Could I do it without SASL altogether, and somehow tell slapd to
> compare krb5.keytab files on the master and the slave to authenticate?
> Or do some other kind of "public/private" key pair thing to authenticate
> the slave to the master?
> Thanks a million in advance!!