[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Ldap replication and multiple realms
Hello,
This message is not 100% ldap related.
I have been able to configure replication by using SASL-GSSAPI in my Realm.
However, I share my openldap directory with all sites of my company. Each
site has its own realm so this brings some dificulties when configuring
sasl-gssapi replication.
For now, I am just considering 2 realms (MIT-Kerberos):
A.BASE.COM
B.BASE.COM
The master slapd is on realm A.BASE.COM and the slave is on B.BASE.COM.
Each kerberos KDC trusts the other.
Here are the setps I have defined:
Master slapd (realm A.BASE.COM):
1- kadmin -q "ank -randkey ldap/master.base.com"
2- kadmin -q "ktadd ldap/master.base.com"
3- kadmin -r B.BASE.COM -p a/admin -q"ktadd -k/etc/krb5.keytab.slurpd
replicator@B.BASE.COM" (same line)
4- Edit slapd.conf file and insert replication information
Note: The master and slave have each a sasl-regexp to convert
uid=replica,cn=B.BASE.COM,cn=gssapi,cn=auth to cn=replica,dc=base,dc=com
Slave slapd (realm B.BASE.COM):
1- kadmin -q "ank replicator@B.BASE.COM"
2- Edit slapd.conf and insert:
rootdn "cn=replica,dc=base,dc=com"
updatedn "cn=replica,dc=base,dc=com"
updateref ldap://master.base.com
I know that I am missing the following steps:
0- kadmin -q "ank -randkey ldap/slave.base.com"
0.1- kadmin -q "ktadd ldap/slave.base.com"
but I don´t know in wich Realm I should create the slave. Can one machine
have services in two realms? Can I have in the same keytab services key for
different realms?
I have been working for two weeks on this without success. Has anyone have
ever done something like this?
I have also posted this message to the kerberos forum but I think this will
be the place to find admins with experience on this.
Best regards,
M.
_________________________________________________________________
Don?t just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/