[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slurpd question with GSSAPI

To: OpenLDAP Software List <openldap-software@OpenLDAP.org>, "Derek T. Yarnell" <derek@cs.umd.edu>
Subject: Re: slurpd question with GSSAPI
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Thu, 26 Aug 2004 10:02:36 -0700
Content-disposition: inline
In-reply-to: <2B3E26C72F7F5C7A1E5219D3@cadabra-dsl.stanford.edu>
References: <1093536249l.13747l.1l@scorponok.cs.umd.edu> <2B3E26C72F7F5C7A1E5219D3@cadabra-dsl.stanford.edu>

--On Thursday, August 26, 2004 9:52 AM -0700 Quanah Gibson-Mount <quanah@stanford.edu> wrote:

--On Thursday, August 26, 2004 4:04 PM +0000 "Derek T. Yarnell"
<derek@cs.umd.edu> wrote:

uid=host/torch.cs.umd.edu@CSIC.UMD.EDU,cn=CS.UMD.EDU,cn=GSSAPI,cn=auth

Which by my sasl-regex rules will always get talking to the CS

sasl-regexp     uid=(.*),cn=CS.UMD.EDU,cn=GSSAPI,cn=auth
                ldap:///dc=cs,dc=umd,dc=edu??sub?uid=$1
sasl-regexp     uid=(.*),cn=CSIC.UMD.EDU,cn=GSSAPI,cn=auth
                ldap:///dc=csic,dc=umd,dc=edu??sub?uid=$1

So am I doomed to have to run 2 of them? If so how can I get around the
problem with the REALMS not having an effect on the sasl-regexp. Also i
am runing 2.2.15 should I be really looking at doing syncrepl? Is there
a good example for syncrepl, that is what the docs are missing on the
site.


I'd suggest fixing your regexp to take the realm into effect.  You can
make the uid= bit do stuff based on realm.

sasl-regexp uid=webauth/(.*),cn=stanford.edu,cn=gssapi,cn=auth
ldaps:///cn=Webauth,cn=Applications,dc=stanford,dc=edu??sub?krb5Principal
Name=webauth/$1@stanford.edu

vs

sasl-regexp uid=(.*)/cgi,cn=stanford.edu,cn=gssapi,cn=auth
ldaps:///cn=cgi,cn=applications,dc=stanford,dc=edu??sub?krb5PrincipalName
=$1/cgi@stanford.edu


for example.

So you could have something like

uid=(.*)@CSIC.UMD.EDU,cn=CS.UMD.EDU,cn=GSSAPI,cn=auth ..........


Oh, one other thing that may make your life easier. ;)

You can, of course, use completely different entities for the slurpd replication than "host/blah@realm". That is actually what I do. I use "service/ldap@stanford.edu". You can do this by setting environment variables to slurpd about what K5 ticket to use (and then just keep a k5 ticket around for it with something like k5start). So you could technically have two different entities for replication, which would also solve your problem.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

Follow-Ups:
- Re: slurpd question with GSSAPI
  - From: "Derek T. Yarnell" <derek@cs.umd.edu>

References:
- slurpd question with GSSAPI
  - From: "Derek T. Yarnell" <derek@cs.umd.edu>
- Re: slurpd question with GSSAPI
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: Re: slurpd question with GSSAPI
Next by Date: Re: OpenLDAP PGP key server
Index(es):
- Chronological
- Thread