[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP replication using GSSAPI for slave server auth


  Here is how I do the SASL mapping:

I store the matching krb5 principal in a field named "krb5PrincipalName"
for each object.  There are other ways to do this that simply map the
map the principal name to a DN - I'm sure someone else on the list can
give you an example of that.


On Fri, 2006-07-14 at 07:55 -0700, Erich Weiler wrote:
> >> access to *
> >>       by self write
> > 
> > I hope this isn't the first ACL you have, allowing self write to all 
> > attributes is most likely a security issue.
> No, this is my last ACL, there are a few more restrictive ones above it.
> > 
> >>       by <some kind of entry regarding gssapi ldap/slave.domain.com auth?>
> > 
> > AFAIK, no, you need to just do some SASL to dn mapping with authz-regexp 
> > statements.
> This is one part I'm not sure how to approach, I'm fairly new to SASL 
> and couldn't make much sense of the documentation on how to use SASL 
> with OpenLDAP authz-regexp... Especially in the sense that I want to use 
> gssapi keytabs to authenticate...  Matt, if you're reading this, could 
> you maybe post an example of how you've set this on your master server?
> > You should probably give your slaves read access to all attributes you want 
> > replicated on all entries you want replicated. And, you probably want the 
> > slaves to have unlimited (time,size) access.
> > 
> > It's probably most convenient to do this by putting all your slaves in a 
> > groupOfNames entry, eg cn=Replicator,ou=Group,dc=soe,dc=ucsc,dc=edu (with the 
> > DN each slave is mapped to by your authz-regexp's as a member attribute) and 
> > add clauses like this to every ACL:
> > 
> > by group="cn=Replicator,ou=Group,dc=soe,dc=ucsc,dc=edu" read
> > 
> > and a line like this in each database:
> > 
> > limits group="cn=Replicator,ou=Group,dc=soe,dc=ucsc,dc=edu"
> >  size=unlimited
> >  time=unlimited
> > 
> > Then, adding another slave requires only an ldapmodify (besides the slave 
> > configuration).
> OK, I can add a "cn=Replicator" to my "ou=Group" easily enough, and 
> limit them.  Can you maybe give me an example of the authz-regexp stuff?
> > It can if you slapadd just the base entry for this database (with all normal 
> > attributes and at least the entryCSN attribute) with the -w flag (unnecessary 
> > if the entry you add has the contextCSN), then the slave should sync itself. 
> > However, depending on the size of your directory, it may be a lot more 
> > efficient to slapadd a recent dump of the entire database.
> By base entry you mean dc=soe,dc=ucsc,dc=edu ?  Again, sorry, this is me 
> trying to make sense of the documentation while feeling my way through 
> it at the same time...
> ciao, erich