[Date Prev][Date Next] [Chronological] [Thread] [Top]

Multi Master w/ SASL Authentication


I have been migrating my OpenLDAP 2.3 slapd.conf configuration to a 2.4 slapd.d replacement.  Previously I had a single master and two slaves but I have moved it to multi-master with a replicated cn=config and database.  I am using Sasl and Heimdal Kerberos with the principles stored in the ldap database.

I have managed to almost complete this but I'm now stuck on the following point, I can only get GSSAPI LDAP authentication to work on the host whose name is equal to the value of olcSaslHost.  As I have 3 masters and a replicated cn=config this can only be true on one host at a time. i.e.

olcSaslHost: ldap1.my.domain
	ldapsearch -H ldaps://ldap1.my.domain -Y GSSAPI = works
	ldapsearch -H ldaps://ldap2.my.domain -Y GSSAPI = fails
	ldapsearch -H ldaps://ldap3.my.domain -Y GSSAPI = fails

update olcSaslHost to ldap2.my.domain
	ldapsearch -H ldaps://ldap1.my.domain -Y GSSAPI = fails
	ldapsearch -H ldaps://ldap2.my.domain -Y GSSAPI = works
	ldapsearch -H ldaps://ldap3.my.domain -Y GSSAPI = fails

I tried setting olcSaslHost to localhost but then none work so I assume the olcSaslHost value is being used to build a Kerberos principle.  Am I missing a trick or do I have to stop replicating cn=config in order to make it work on all 3?  I can post configuration files if this will help.

This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
you may review at http://www.amdocs.com/email_disclaimer.asp