[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP replication using GSSAPI for slave server auth



Erich-

  Here is the relevant snippet from my slave's syncrepl stanza (OL 2.2 -
syntax may have changed for 2.3) :

syncrepl rid=8
        provider=ldap://ldap0.uconn.edu
        starttls=critical
        type=refreshAndPersist
        retry=300,+
        searchbase="dc=uconn,dc=edu"
        filter="(objectClass=*)"
	attrs="*,+"
        scope=sub
        schemachecking=on
        updatedn="cn=root,dc=uconn,dc=edu"
        bindmethod=sasl
        saslmech=gssapi
        authcid=ldap/ldap8.uconn.edu@UCONN.EDU

I  have a cron job periodically refresh my kerberos ticket using:
kinit -c /tmp/krb5cc_slapd -t /etc/openldap/ldap.keytab
ldap/ldap8.uconn.edu@UCONN.EDU

This does avoid the use of slurpd.

HTH,
-Matt


On Thu, 2006-07-13 at 08:03 -0700, Erich Weiler wrote:
> Matt-
> 
> I think I see what you're getting at.  The k5start tool looks extremely 
> cool and I think I'll use that.  Can I skip using SASL to use this 
> method of authentication?  Or do I still need something like:
> 
> bindmethod=sasl saslmech=GSSAPI
> 
> in my syncrepl entry in slapd.conf?
> 
> Also, if I use SyncRep can I skip all the stuff about setting up 
> replication with slurpd?  That would be very nice as that slurpd stuff 
> looked kind of sticky.
> 
> Sorry about the probably basic questions, I'm kind of new to this stuff 
> and am picking it up on the way....  :)
> 
> ciao, erich
> 
> Matthew J. Smith wrote:
> > Erich-
> > 
> >   You will need to use the keytab to fetch a TGT for the user account
> > under which the OpenLDAP server is running.  Either a cron-job running
> > kinit, or k5start (first Google hit:
> > http://www.eyrie.org/~eagle/software/kstart/k5start.html ) should do the
> > trick.  Assuming you are using SyncRepl, you will need to do this on
> > each slave LDAP server.
> > 
> > HTH,
> > -Matt

Attachment: signature.asc
Description: This is a digitally signed message part