[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP replication using GSSAPI for slave server auth

To: OpenLDAP-software@OpenLDAP.org
Subject: Re: OpenLDAP replication using GSSAPI for slave server auth
From: Andreas Hasenack <ahasenack@terra.com.br>
Date: Fri, 14 Jul 2006 13:05:43 -0300
Content-disposition: inline
In-reply-to: <200607141537.39796.bgmilne@staff.telkomsa.net>
References: <44B57EA8.7090303@soe.ucsc.edu> <1152807131.6643.22.camel@d80h159.uconn.edu> <44B6F7F7.3020006@soe.ucsc.edu> <200607141537.39796.bgmilne@staff.telkomsa.net>
User-agent: Mutt/1.5.11

On Fri, Jul 14, 2006 at 03:37:31PM +0200, Buchan Milne wrote:
> It's probably most convenient to do this by putting all your slaves in a 
> groupOfNames entry, eg cn=Replicator,ou=Group,dc=soe,dc=ucsc,dc=edu (with the 
> DN each slave is mapped to by your authz-regexp's as a member attribute) and 
> add clauses like this to every ACL:
> 
> by group="cn=Replicator,ou=Group,dc=soe,dc=ucsc,dc=edu" read

Yes, the group approach is the best one, but you don't need this line in every
ACL. Just add this to the top:

access to dn.subtree="dc=example,dc=com"
	by group.exact="cn=Replicator,ou=Group,dc=soe,dc=ucsc,dc=edu" read
	by * break

So that, if there is no match, the rest of the ACLs is read and processed as
usual.

>

References:
- OpenLDAP replication using GSSAPI for slave server auth
  - From: Erich Weiler <weiler@soe.ucsc.edu>
- Re: OpenLDAP replication using GSSAPI for slave server auth
  - From: "Smith, Matt" <matt.smith@uconn.edu>
- Re: OpenLDAP replication using GSSAPI for slave server auth
  - From: Erich Weiler <weiler@soe.ucsc.edu>
- Re: OpenLDAP replication using GSSAPI for slave server auth
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>

Prev by Date: Re: OpenLDAP replication using GSSAPI for slave server auth
Next by Date: slurpd -d9 --- Invalid credentials
Index(es):
- Chronological
- Thread