OpenLDAP replication using GSSAPI for slave server auth

[Erich Weiler <weiler@soe.ucsc.edu>]

Hi all-

I've got a working OpenLDAP server (and a working Kerberos server) and 
I'd like to set up a replication server or two for the OpenLDAP server. 
 I read the documentation on setting up a replication server and it 
doesn't look too tough IF you use 'simple' password authentication 
between the servers (like 'bindmethod=simple credentials=secret' in 
slapd.conf under the 'replica' heading).

But I'd like to not have the password in clear text in the slapd.conf 
file and use GSSAPI for slave server authentication instead.  I'm 
assuming I need a replica entry that looks something like this:

replica host=ldapmaster.domain.com:389 starttls=critical
     bindmethod=sasl saslmech=GSSAPI
     authcId=host/ldapslave.domain.com@MYREALM.COM

but I'm not sure where to go from there....  on my KDC (which happens to 
be the same machine as my master OpenLDAP server) I've made these 
principals:

ldap/ldapmaster.domain.com@MYREALM.COM
ldap/ldapslave.domain.com@MYREALM.COM

I've also added both those to the keytab file on the master, then copied 
that keytab file to the slave.  I guess I'm just not exactly sure how to 
get SASL working with this...  I have SASL installed on all the machines 
in question but I'm having a hard time find a HOW-TO or something on 
where to go from here...

Does anyone have any pointers on how to do this?  Or where I could find 
some quick, down and dirty instructions?

Or...  Could I do it without SASL altogether, and somehow tell slapd to 
compare krb5.keytab files on the master and the slave to authenticate? 
Or do some other kind of "public/private" key pair thing to authenticate 
the slave to the master?

Thanks a million in advance!!

-erich