[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP replication using GSSAPI for slave server auth

access to *
      by self write

I hope this isn't the first ACL you have, allowing self write to all attributes is most likely a security issue.

No, this is my last ACL, there are a few more restrictive ones above it.

by <some kind of entry regarding gssapi ldap/slave.domain.com auth?>

AFAIK, no, you need to just do some SASL to dn mapping with authz-regexp statements.

This is one part I'm not sure how to approach, I'm fairly new to SASL and couldn't make much sense of the documentation on how to use SASL with OpenLDAP authz-regexp... Especially in the sense that I want to use gssapi keytabs to authenticate... Matt, if you're reading this, could you maybe post an example of how you've set this on your master server?

You should probably give your slaves read access to all attributes you want replicated on all entries you want replicated. And, you probably want the slaves to have unlimited (time,size) access.

It's probably most convenient to do this by putting all your slaves in a groupOfNames entry, eg cn=Replicator,ou=Group,dc=soe,dc=ucsc,dc=edu (with the DN each slave is mapped to by your authz-regexp's as a member attribute) and add clauses like this to every ACL:

by group="cn=Replicator,ou=Group,dc=soe,dc=ucsc,dc=edu" read

and a line like this in each database:

limits group="cn=Replicator,ou=Group,dc=soe,dc=ucsc,dc=edu"

Then, adding another slave requires only an ldapmodify (besides the slave configuration).

OK, I can add a "cn=Replicator" to my "ou=Group" easily enough, and limit them. Can you maybe give me an example of the authz-regexp stuff?

It can if you slapadd just the base entry for this database (with all normal attributes and at least the entryCSN attribute) with the -w flag (unnecessary if the entry you add has the contextCSN), then the slave should sync itself. However, depending on the size of your directory, it may be a lot more efficient to slapadd a recent dump of the entire database.

By base entry you mean dc=soe,dc=ucsc,dc=edu ? Again, sorry, this is me trying to make sense of the documentation while feeling my way through it at the same time...

ciao, erich