Erich-
Here is the relevant snippet from my slave's syncrepl stanza (OL 2.2 -
syntax may have changed for 2.3) :
syncrepl rid=8
provider=ldap://ldap0.uconn.edu
starttls=critical
type=refreshAndPersist
retry=300,+
searchbase="dc=uconn,dc=edu"
filter="(objectClass=*)"
attrs="*,+"
scope=sub
schemachecking=on
updatedn="cn=root,dc=uconn,dc=edu"
bindmethod=sasl
saslmech=gssapi
authcid=ldap/ldap8.uconn.edu@UCONN.EDU
I have a cron job periodically refresh my kerberos ticket using:
kinit -c /tmp/krb5cc_slapd -t /etc/openldap/ldap.keytab
ldap/ldap8.uconn.edu@UCONN.EDU
This does avoid the use of slurpd.
HTH,
-Matt
On Thu, 2006-07-13 at 08:03 -0700, Erich Weiler wrote:
> Matt-
>
> I think I see what you're getting at. The k5start tool looks extremely
> cool and I think I'll use that. Can I skip using SASL to use this
> method of authentication? Or do I still need something like:
>
> bindmethod=sasl saslmech=GSSAPI
>
> in my syncrepl entry in slapd.conf?
>
> Also, if I use SyncRep can I skip all the stuff about setting up
> replication with slurpd? That would be very nice as that slurpd stuff
> looked kind of sticky.
>
> Sorry about the probably basic questions, I'm kind of new to this stuff
> and am picking it up on the way.... :)
>
> ciao, erich
>
> Matthew J. Smith wrote:
> > Erich-
> >
> > You will need to use the keytab to fetch a TGT for the user account
> > under which the OpenLDAP server is running. Either a cron-job running
> > kinit, or k5start (first Google hit:
> > http://www.eyrie.org/~eagle/software/kstart/k5start.html ) should do the
> > trick. Assuming you are using SyncRepl, you will need to do this on
> > each slave LDAP server.
> >
> > HTH,
> > -Matt
Attachment:
signature.asc
Description: This is a digitally signed message part