[Date Prev][Date Next]
Re: OpenLDAP replication using GSSAPI for slave server auth
Here is how I do the SASL mapping:
I store the matching krb5 principal in a field named "krb5PrincipalName"
for each object. There are other ways to do this that simply map the
map the principal name to a DN - I'm sure someone else on the list can
give you an example of that.
On Fri, 2006-07-14 at 07:55 -0700, Erich Weiler wrote:
> >> access to *
> >> by self write
> > I hope this isn't the first ACL you have, allowing self write to all
> > attributes is most likely a security issue.
> No, this is my last ACL, there are a few more restrictive ones above it.
> >> by <some kind of entry regarding gssapi ldap/slave.domain.com auth?>
> > AFAIK, no, you need to just do some SASL to dn mapping with authz-regexp
> > statements.
> This is one part I'm not sure how to approach, I'm fairly new to SASL
> and couldn't make much sense of the documentation on how to use SASL
> with OpenLDAP authz-regexp... Especially in the sense that I want to use
> gssapi keytabs to authenticate... Matt, if you're reading this, could
> you maybe post an example of how you've set this on your master server?
> > You should probably give your slaves read access to all attributes you want
> > replicated on all entries you want replicated. And, you probably want the
> > slaves to have unlimited (time,size) access.
> > It's probably most convenient to do this by putting all your slaves in a
> > groupOfNames entry, eg cn=Replicator,ou=Group,dc=soe,dc=ucsc,dc=edu (with the
> > DN each slave is mapped to by your authz-regexp's as a member attribute) and
> > add clauses like this to every ACL:
> > by group="cn=Replicator,ou=Group,dc=soe,dc=ucsc,dc=edu" read
> > and a line like this in each database:
> > limits group="cn=Replicator,ou=Group,dc=soe,dc=ucsc,dc=edu"
> > size=unlimited
> > time=unlimited
> > Then, adding another slave requires only an ldapmodify (besides the slave
> > configuration).
> OK, I can add a "cn=Replicator" to my "ou=Group" easily enough, and
> limit them. Can you maybe give me an example of the authz-regexp stuff?
> > It can if you slapadd just the base entry for this database (with all normal
> > attributes and at least the entryCSN attribute) with the -w flag (unnecessary
> > if the entry you add has the contextCSN), then the slave should sync itself.
> > However, depending on the size of your directory, it may be a lot more
> > efficient to slapadd a recent dump of the entire database.
> By base entry you mean dc=soe,dc=ucsc,dc=edu ? Again, sorry, this is me
> trying to make sense of the documentation while feeling my way through
> it at the same time...
> ciao, erich