[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP replication using GSSAPI for slave server auth

To: "Matthew J. Smith" <matt.smith@uconn.edu>
Subject: Re: OpenLDAP replication using GSSAPI for slave server auth
From: Erich Weiler <weiler@soe.ucsc.edu>
Date: Thu, 13 Jul 2006 08:03:16 -0700
Cc: OpenLDAP-software@OpenLDAP.org
In-reply-to: <1152799043.6643.9.camel@d80h159.uconn.edu>
References: <44B57EA8.7090303@soe.ucsc.edu> <1152799043.6643.9.camel@d80h159.uconn.edu>
User-agent: Thunderbird 1.5.0.4 (Macintosh/20060516)

Matt-

I think I see what you're getting at. The k5start tool looks extremely cool and I think I'll use that. Can I skip using SASL to use this method of authentication? Or do I still need something like:

bindmethod=sasl saslmech=GSSAPI

in my syncrepl entry in slapd.conf?

Also, if I use SyncRep can I skip all the stuff about setting up replication with slurpd? That would be very nice as that slurpd stuff looked kind of sticky.

Sorry about the probably basic questions, I'm kind of new to this stuff and am picking it up on the way.... :)

ciao, erich

Matthew J. Smith wrote:

Erich-

  You will need to use the keytab to fetch a TGT for the user account
under which the OpenLDAP server is running.  Either a cron-job running
kinit, or k5start (first Google hit:
http://www.eyrie.org/~eagle/software/kstart/k5start.html ) should do the
trick.  Assuming you are using SyncRepl, you will need to do this on
each slave LDAP server.

HTH,
-Matt

Follow-Ups:
- Re: OpenLDAP replication using GSSAPI for slave server auth
  - From: "Smith, Matt" <matt.smith@uconn.edu>

References:
- OpenLDAP replication using GSSAPI for slave server auth
  - From: Erich Weiler <weiler@soe.ucsc.edu>
- Re: OpenLDAP replication using GSSAPI for slave server auth
  - From: "Matthew J. Smith" <matt.smith@uconn.edu>

Prev by Date: Re: Change default port number
Next by Date: Re: OpenLDAP replication using GSSAPI for slave server auth
Index(es):
- Chronological
- Thread