[Date Prev][Date Next]
Re: errant SASL/GSSAPI setup?
>>>>> "quanah" == Quanah Gibson-Mount <firstname.lastname@example.org> writes:
quanah> --On Wednesday, August 30, 2006 10:19 AM -0400 "Allan E. Johannesen"
quanah> <aej@WPI.EDU> wrote:
>> I've been using rootdn passwords over TLS with slurpd and since switching to
>> syncrepl. Seeing a posting by Quanah Gibson-Mount <email@example.com>
>> some weeks ago about k5start and KRB5CCNAME, I was inspired to try to make
>> the switch.
quanah> So, I've been thinking over all of this, and I actually see only one
quanah> You need to index entryUUID.
Well, yes it's better to index entryUUID. It's critical for good response time
to do it and I did that on my production boxes, but I was testing this on an
different system. I made the mistake of using an existing slapd config from
prior tests and forgot to add the index of entryUUID.
quanah> Lets talk about how this whole replication thing works:
quanah> (a) You get a K5 ticket (or it already exists, thanks to kstart, etc)
quanah> (b) You start the replica (c) It connects to the master whenever the
quanah> master is available. It makes a *persistent* connection, since that is
quanah> what you have specified (d) Changes replicate.. time passes, k5start
quanah> renews the ticket cache, the ldap/* bit for the master disappears from
quanah> the cache (e) Changes continue to replicate
quanah> The reason things still work between (d) & (e) is because the
quanah> connection is *persistent*. The ldap/* bit for the master is only
quanah> necessary for establishing the initial connection. That is why
quanah> replication continues to work on my ldap slaves even though they don't
quanah> have an ldap/* principal in their ticket cache any more:
Note that when I control-C the persistent connection, I get an encryption
error. That's relavent to the issue, I think.
/usr/local/libexec/slapd -d 16384 -f /usr/local/etc/openldap/slapd.seethe.conf
daemon: shutdown requested and initiated.
slapd shutdown: waiting for 1 threads to terminate
sb_sasl_write: failed to encode packet: generic failure
After indexing entryUUID, it's happier, but updates still bind up after time:
syncrepl_entry: be_search (0)
syncrepl_entry: be_modify (0)