[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: errant SASL/GSSAPI setup?

--On Wednesday, August 30, 2006 10:19 AM -0400 "Allan E. Johannesen" <aej@WPI.EDU> wrote:

I've been using rootdn passwords over TLS with slurpd and since switching
to syncrepl.  Seeing a posting by Quanah Gibson-Mount
<quanah@stanford.edu> some weeks ago about k5start and KRB5CCNAME, I was
inspired to try to make the switch.

I grabbed kstart-3.5 and installed it and installed a sasl-regexp in the
LDAP master:

So far, everything looks good.  An update went through and the ldap
ticket was established.  However, after the ticket expires, a subsequent
update does not take place and a new ldap ticket isn't obtained.

I'd take a look at why you haven't set up kstart to continually refresh the ticket, so that it never expires... That's part of the point of using it.

See daemontools. Here is the ticket I use with daemontools to continually keep the K5 ticket active.

# /service/k5start/run -- Run kstart to maintain our ticket for LDAP binds.
# $Id: run,v 1.2 2006/08/03 20:02:07 quanah Exp $


exec /usr/bin/k5start -u ldap -i $HOSTNAME -r stanford.edu \
   -f /etc/krb5.keytab -k /var/run/ldap_syncreplica.tkt -l 10h -K 30


Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html