[Date Prev][Date Next] [Chronological] [Thread] [Top]

Ldap replication and multiple realms



Hello,

This message is not 100% ldap related.
I have been able to configure  replication by using SASL-GSSAPI in my Realm.
However, I share my openldap directory with all sites of my company. Each
site has its own realm so this brings some dificulties when configuring
sasl-gssapi replication.

For now, I am just considering 2 realms (MIT-Kerberos):
A.BASE.COM
B.BASE.COM

The master slapd is on realm A.BASE.COM and the slave is on B.BASE.COM.
Each kerberos KDC trusts the other.

Here are the setps I have defined:

Master slapd (realm A.BASE.COM):
1- kadmin -q "ank -randkey ldap/master.base.com"
2- kadmin -q "ktadd ldap/master.base.com"
3- kadmin -r B.BASE.COM -p a/admin -q"ktadd -k/etc/krb5.keytab.slurpd
replicator@B.BASE.COM" (same line)
4- Edit slapd.conf file and insert replication information


Note: The master and slave have each a sasl-regexp to convert uid=replica,cn=B.BASE.COM,cn=gssapi,cn=auth to cn=replica,dc=base,dc=com

Slave slapd (realm B.BASE.COM):
1- kadmin -q "ank replicator@B.BASE.COM"
2- Edit slapd.conf and insert:
rootdn  "cn=replica,dc=base,dc=com"
updatedn "cn=replica,dc=base,dc=com"
updateref  ldap://master.base.com

I know that I am  missing the following steps:
0- kadmin -q "ank -randkey ldap/slave.base.com"
0.1- kadmin -q "ktadd ldap/slave.base.com"
but I don´t know in wich Realm I should create the slave. Can one machine
have services in two realms? Can I have in the same keytab services key for
different realms?

I have been working for two weeks on this without success. Has anyone have
ever done something like this?
I have also posted this message to the kerberos forum but I think this will
be the place to find admins with experience on this.


Best regards,

M.

_________________________________________________________________
Don?t just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/