[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: errant SASL/GSSAPI setup?

To: Quanah Gibson-Mount <quanah@stanford.edu>
Subject: Re: errant SASL/GSSAPI setup?
From: "Allan E. Johannesen" <aej@WPI.EDU>
Date: Wed, 30 Aug 2006 13:10:17 -0400
Cc: "Allan E. Johannesen" <aej@WPI.EDU>, openldap-software@OpenLDAP.org
In-reply-to: <1BF9C15EB98AE5E66069E3D7@SW-90-717-287-3.stanford.edu>
References: <17653.40565.650621.785696@CCC1.WPI.EDU> <052DD991EEBBEE947896C36E@SW-90-717-287-3.stanford.edu> <17653.48794.770031.999647@CCC1.WPI.EDU> <E940E156DA412F0443F630FF@SW-90-717-287-3.stanford.edu> <4701598B1BFFD28772B3EB82@SW-90-717-287-3.stanford.edu> <17653.50047.377405.766191@CCC1.WPI.EDU> <1BF9C15EB98AE5E66069E3D7@SW-90-717-287-3.stanford.edu>

>>>>> "quanah" == Quanah Gibson-Mount <quanah@stanford.edu> writes:

quanah> --On Wednesday, August 30, 2006 12:57 PM -0400 "Allan E. Johannesen"
quanah> <aej@WPI.EDU> wrote:

>> Yes, I should put that in there.  I just trimmed the "simple" stuff
>> (dn/password) out and put in "sasl".  I should have specified the mechanism.
>> 
>> Nothing else could work in my instance, anyway.

quanah> There is one more major difference between how we are doing syncrepl --
quanah> I use the actual ldap/* principals of my LDAP server, rather than a
quanah> single account instance.  That may be why it continues to work for me
quanah> across new negotiations.

In my first experiment, I picked one of the existing ldap principals, in this
case of a random slave, and did a ktadd to a new file on the experimental
system.  That caused the slave to fail until I ktadd'd the principal to the
/etc/krb5.keytab on the slave again.  I didn't notice the failure until some
time had passed...

I didn't expect it, but my ktadd on this test system caused the principal to
change in the kerberos store and that caused the ldap server on this other
system to fail.  I made the unfounded assumption that ktadd was read-only and
not harmful.

That's why I chose different principals.  I was just lazy to use an existing
one and I was punished by kerberos for my laziness.

References:
- errant SASL/GSSAPI setup?
  - From: "Allan E. Johannesen" <aej@WPI.EDU>
- Re: errant SASL/GSSAPI setup?
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: errant SASL/GSSAPI setup?
  - From: "Allan E. Johannesen" <aej@WPI.EDU>
- Re: errant SASL/GSSAPI setup?
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: errant SASL/GSSAPI setup?
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: errant SASL/GSSAPI setup?
  - From: "Allan E. Johannesen" <aej@WPI.EDU>
- Re: errant SASL/GSSAPI setup?
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: Re: errant SASL/GSSAPI setup?
Next by Date: Re: errant SASL/GSSAPI setup?
Index(es):
- Chronological
- Thread