[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Syncrepl authentication via GSSAPI/SASL/Kerberos

To: Steven Presser <steve@pressers.name>
Subject: Re: Syncrepl authentication via GSSAPI/SASL/Kerberos
From: Dan White <dwhite@olp.net>
Date: Tue, 30 Sep 2014 13:09:09 -0500
Cc: openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <542AE8AA.4020206@pressers.name> <542AE4E6.2050402@pressers.name>
User-agent: Mutt/1.5.23 (2014-03-12)

On 09/30/14 13:14 -0400, Steven Presser wrote:

I'm running a pair of OpenLDAP servers on a network which primarilyuses kerberos for authentication. The two servers replicate data (viaa simple syncrepl master-slave setup). Right now, they're usingsimple authentication. I'd like to move them to using kerberosauthentication.

Sep 30 13:11:09 hawking slapd[1620]: conn=1005 op=2 BINDdn="uid=ldap/mordor.pressers.name,cn=gssapi,cn=auth" mech=GSSAPIsasl_ssf=56 ssf=56


On 09/30/14 13:30 -0400, Steven Presser wrote:

No; That bind DN is used only in simple authentication. I ammaintaining them as separate accounts, for the time being. One of myACLs is:
access to *
       by dn.exact="cn=repl,dc=pressers,dc=name" read
by dn.exact="uid=ldap/mordor.pressers.name,cn=pressers.name,cn=gssapi,cn=auth" read


Your line here does not match the identity from your logs.

--
Dan White

Follow-Ups:
- Re: Syncrepl authentication via GSSAPI/SASL/Kerberos
  - From: Steven Presser <steve@pressers.name>

References:
- Syncrepl authentication via GSSAPI/SASL/Kerberos
  - From: Steven Presser <steve@pressers.name>

Prev by Date: Re: Syncrepl authentication via GSSAPI/SASL/Kerberos
Next by Date: Re: Syncrepl authentication via GSSAPI/SASL/Kerberos
Index(es):
- Chronological
- Thread