[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: errant SASL/GSSAPI setup?

To: Quanah Gibson-Mount <quanah@stanford.edu>
Subject: Re: errant SASL/GSSAPI setup?
From: "Allan E. Johannesen" <aej@WPI.EDU>
Date: Wed, 30 Aug 2006 15:01:26 -0400
Cc: "Allan E. Johannesen" <aej@WPI.EDU>, openldap-software@OpenLDAP.org
In-reply-to: <47E42827797F87C817E53D22@deus-ex.stanford.edu>
References: <17653.40565.650621.785696@CCC1.WPI.EDU> <47E42827797F87C817E53D22@deus-ex.stanford.edu>

>>>>> "quanah" == Quanah Gibson-Mount <quanah@stanford.edu> writes:

quanah> --On Wednesday, August 30, 2006 10:19 AM -0400 "Allan E. Johannesen"
quanah> <aej@WPI.EDU> wrote:

>> I've been using rootdn passwords over TLS with slurpd and since switching to
>> syncrepl.  Seeing a posting by Quanah Gibson-Mount <quanah@stanford.edu>
>> some weeks ago about k5start and KRB5CCNAME, I was inspired to try to make
>> the switch.

quanah> So, I've been thinking over all of this, and I actually see only one
quanah> error:

quanah> You need to index entryUUID.

Well, yes it's better to index entryUUID.  It's critical for good response time
to do it and I did that on my production boxes, but I was testing this on an
different system.  I made the mistake of using an existing slapd config from
prior tests and forgot to add the index of entryUUID.

quanah> Lets talk about how this whole replication thing works:

quanah> (a) You get a K5 ticket (or it already exists, thanks to kstart, etc)
quanah> (b) You start the replica (c) It connects to the master whenever the
quanah> master is available.  It makes a *persistent* connection, since that is
quanah> what you have specified (d) Changes replicate.. time passes, k5start
quanah> renews the ticket cache, the ldap/* bit for the master disappears from
quanah> the cache (e) Changes continue to replicate

quanah> The reason things still work between (d) & (e) is because the
quanah> connection is *persistent*.  The ldap/* bit for the master is only
quanah> necessary for establishing the initial connection.  That is why
quanah> replication continues to work on my ldap slaves even though they don't
quanah> have an ldap/* principal in their ticket cache any more:

Note that when I control-C the persistent connection, I get an encryption
error.  That's relavent to the issue, I think.

SEETHE:~# fg
/usr/local/libexec/slapd -d 16384 -f /usr/local/etc/openldap/slapd.seethe.conf
daemon: shutdown requested and initiated.
slapd shutdown: waiting for 1 threads to terminate
sb_sasl_write: failed to encode packet: generic failure
slapd stopped.
SEETHE:~# 

After indexing entryUUID, it's happier, but updates still bind up after time:

syncrepl_entry: LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_MODIFY)
syncrepl_entry: be_search (0)
syncrepl_entry: wpieduPersonUUID=2af586df6800b3389cbe7bcbf2a920df,ou=People,dc=WPI,dc=EDU
syncrepl_entry: be_modify (0)

Follow-Ups:
- Re: errant SASL/GSSAPI setup?
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

References:
- errant SASL/GSSAPI setup?
  - From: "Allan E. Johannesen" <aej@WPI.EDU>
- Re: errant SASL/GSSAPI setup?
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: Re: errant SASL/GSSAPI setup?
Next by Date: Re: errant SASL/GSSAPI setup?
Index(es):
- Chronological
- Thread