[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: cross-replication, SASL
At 03:59 PM 1/8/01 -0800, Tomas Maly wrote:
>I was wondering if it was feasible to do "cross-replication"... I had
>the idea that let's say I have multiple LDAP servers and they all are
>masters, and all are running slurpd, and any change can occur on any
>server and replicate completely. From how replication works, I think it
>may be able to work. I would have multiple replica statements in
>slapd.conf and all use some univeral way of authenicating, let's say via
>SASL/GSSAPI.
Well, technically, you don't need a universal method for authentication.
Each slurpd just needs to be able to authenticate to the server(s)
it is a client of. If you have a configuration where
server ncs replicas
A o=A B
B o=B C
C o=C A
Each slurpd needs to be able to authenticate to the replica server.
There are numerous ways this can be done. The easiest is to have
a universal authentication framework for all three servers and
name contexts.
>In that case, the binddn of a replica statement for remote
>host A is some key that all ldap hosts have access to... I'm not sure
>how that would work, exactly.
>
>Anyway, in general, how would replication (not necessarily
>cross-replication) work via SASL/GSSAPI?
slurpd is just another client using SASL/GSSAPI to authenticate
on the replica and hence should be viewed as a separate principal.
>What keys would
>host1.domain.com and host2.domain.com require on each specific keytab?
Each LDAP server needs it's own key with the principal
named "ldap/hostname@REALM". Each SLURPD should have
it's own key named however you like. The DN implied
by the SLURPD principal is what the updatedn needs to
be set to.
Kurt