[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: syncrepl + GSSAPI

To: Quanah Gibson-Mount <quanah@stanford.edu>
Subject: Re: syncrepl + GSSAPI
From: "Matthew J. Smith" <matt.smith@uconn.edu>
Date: Thu, 05 Aug 2004 13:13:31 -0400
Cc: openldap-software@OpenLDAP.org
In-reply-to: <2C5C7200BB0A23FE44C3AE90@cadabra-dsl.stanford.edu>
Organization: University of Connecticut ITS
References: <1091720074.16728.9.camel@d80h243> <2C5C7200BB0A23FE44C3AE90@cadabra-dsl.stanford.edu>

On Thu, 2004-08-05 at 12:03, Quanah Gibson-Mount wrote:
> --On Thursday, August 05, 2004 11:34 AM -0400 "Matthew J. Smith" 
> <matt.smith@uconn.edu> wrote:
> 
> > Hello-
> >
> >   I have searched the archives and Google with little luck, although
> > maybe I just haven't used the right keywords yet.  I am looking to
> > perform replication via syncrepl, using GSSAPI for authentication.  I
> > have GSSAPI working for user authentication already.
> >
> >   With syncrepl, how do I get my consumer to obtain a ticket, using it's
> > keytab (default /etc/krb5.keytab for now, although I'd like to move
> > that), so that it can attach to my provider?
> >
> >   I am considering a cron job on the consumer that issues a "kinit
> > --keytab=..." every so often, but that seems inelegant.
> >
> >   Is there a way to get the syncrepl process to obtain it's own ticket
> > using the keytab?  I see a credentials=<password> option in the syncrepl
> > config -- is there a similar (undocumented?)  keytab=<keytabfile>
> > option?
> >
> >   Any help is appreciated!
> 
> I've been testing syncRepl with GSSAPI.
> 
> I suggest you use the k5start utility:
> 
> <http://www.eyrie.org/~eagle/software/kstart/>
> 
> and combine that with svcscan to create a process that will continually 
> keep a ticket alive for you.
> 
> Then simply set the KRB5CCNAME environment variable in the startup script 
> for SLAPD.
> 
> --Quanah
> 
> --
> Quanah Gibson-Mount
> Principal Software Developer
> ITSS/Shared Services
> Stanford University
> GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
Thank you for the response.  Google did bring me across k5start, and I
am contemplating it's use.  I was hoping that slapd could do this
without needing any extra utilities, simply obtaining and refreshing the
ticket as part of the syncrepl process.  I may use k5start (or even just
a cron'd kinit).  But first, can anyone definitively tell me whether
slapd does or will ever directly support this functionality?

-Matt

-- 
Matthew J. Smith <matt.smith@uconn.edu>
University of Connecticut ITS

Attachment: signature.asc
Description: This is a digitally signed message part

Follow-Ups:
- Re: syncrepl + GSSAPI
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

References:
- syncrepl + GSSAPI
  - From: "Matthew J. Smith" <matt.smith@uconn.edu>
- Re: syncrepl + GSSAPI
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: Usernames vs. OU's
Next by Date: Re: syncrepl + GSSAPI
Index(es):
- Chronological
- Thread