[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP replication using GSSAPI for slave server auth

On Friday 14 July 2006 03:48, Erich Weiler wrote:
> Hi Matt,
> I think I'm almost there!
> I added a similar entry to my slave server, got my keytabs set up,
> crontabs set up, etc.
> I'm wondering how the master server knows to accept the slave's
> authentication?

The slave will authenticate just like any other identity in the directory.

> Do I need something like: 
> overlay syncprov
> syncprov-checkpoint 100 60
> syncprov-sessionlog 100
> and something like.....
> access to *
>       by self write

I hope this isn't the first ACL you have, allowing self write to all 
attributes is most likely a security issue.

>       by dn="cn=Manager,dc=soe,dc=ucsc,dc=edu"  write

If this is your rootdn, this clause is unnecessary (rootdn always gets write).

>       by <some kind of entry regarding gssapi ldap/slave.domain.com auth?>

AFAIK, no, you need to just do some SASL to dn mapping with authz-regexp 

>       by *   read

This may also not be a good idea, but you haven't stated if this is your full 
ACL list.

> in the master LDAP server's slapd.conf file?
> Do you have access entries for your slaves in slapd.conf on your master
> server?

You should probably give your slaves read access to all attributes you want 
replicated on all entries you want replicated. And, you probably want the 
slaves to have unlimited (time,size) access.

It's probably most convenient to do this by putting all your slaves in a 
groupOfNames entry, eg cn=Replicator,ou=Group,dc=soe,dc=ucsc,dc=edu (with the 
DN each slave is mapped to by your authz-regexp's as a member attribute) and 
add clauses like this to every ACL:

by group="cn=Replicator,ou=Group,dc=soe,dc=ucsc,dc=edu" read

and a line like this in each database:

limits group="cn=Replicator,ou=Group,dc=soe,dc=ucsc,dc=edu"

Then, adding another slave requires only an ldapmodify (besides the slave 

> Also, when you had everything set up correctly, did the slave
> automatically populate /var/lib/ldap with the databases as soon as slapd
> started up?

It can if you slapadd just the base entry for this database (with all normal 
attributes and at least the entryCSN attribute) with the -w flag (unnecessary 
if the entry you add has the contextCSN), then the slave should sync itself. 
However, depending on the size of your directory, it may be a lot more 
efficient to slapadd a recent dump of the entire database.


Buchan Milne
ISP Systems Specialist

Attachment: pgpy2Rql1ZiVb.pgp
Description: PGP signature