[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
IDs, RootDN and replication
- To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
- Subject: IDs, RootDN and replication
- From: Brendan Kearney <bpk678@gmail.com>
- Date: Thu, 27 Jun 2013 19:58:35 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:subject:from:to:date:content-type:x-mailer:mime-version :content-transfer-encoding; bh=c9HCo+SjYPGHGOdsHN0u93TmVZRdBGHVo+8UBJ7vn5s=; b=Tp66882e8rD2LLT6cxeuDdgJ1qyiBi7qn3L+l64adl6FRmCgak7akE135KfmxDGfpU 6cLXNoruih4yoQf3d7WXra/7ZpJHBpweFjUByLcneKSTA5vPYoj50f73SyAJV76lt4QF VvxJGkdvjvsUfKgaHLlyKyFR72KeLm/SKuQYQUsis2TOgADIVCyrGxddrHhox1LCp7gm eka8rYYHVwqBBYdXi7tQfozbb3hlcbJLwiVOOirFwqzts6j79z8/K/11+DUffdbvhNsO fMp5BsR4DN9ds9IJNFiF+0PXkx4zbX43yToUSlojckKpA74LxLZ3NZS3y/rK/+11MO8P lgDA==
list members,
i have separate olcRootDN's for cn=config and for dc=bpk2,dc=com
(cn=config and cn=Manager,dc=bpk2,dc=com respectively) configured in
slapd. i would like to change this so that the olcRootDN's are part of
a DIT, and have their authentication managed via SASL or Kerberos. i am
using the cn=config olcRootDN as the id for the n-way multimaster
replication of both cn=config and olcDatabase for the hdb that has the
dc=bpk2,dc=com tree in it. i believe the below will get the olcRootDN's
confiured for an id contained in the DIT:
ldapmodify -QY EXTERNAL -H ldapi:///
dn: cn=config
changetype: modify
delete: olcRootDN
olcRootDN: cn=config
-
add: olcRootDN
olcRootDN: uid=root,cn=bpk2.com,cn=gssapi,cn=auth
-
delete: olcRootPW
-
dn: olcDatabase={2}hdb,cn=config
changetype: modify
delete: olcRootDN
olcRootDN: cn=Manager,dc=bpk2,dc=com
-
add: olcRootDN
olcRootDN: uid=root,cn=bpk2.com,cn=gssapi,cn=auth
-
delete: olcRootPW
-
when performing the delete action, do i need to do both "delete:
olcRootDN", and then specify "olcRootDN: cn=config"? since there is
only one value, i would think it is unnecessary, but just want to check.
what are best practices around using a RootDN ID contained in a DIT? i
would imagine using "root" is something to avoid. what suggestions are
there around the RootDN id? what about using the RootDN id as the id
for replication, when the bind method is sasl and the saslmech is
gssapi? should a different id be used for replication?
i am using n-way multi master replication with credentials= specified in
my configs. with the below, i plan to modify the id used to do the
replication, as well as the authentication:
ldapmodify -QY EXTERNAL -H ldapi:///
dn: cn=config
changetype: modify
delete: olcSyncrepl
olcSyncrepl: {1}
-
delete: olcSyncrepl
olcSyncrepl: {0}
-
add: olcSyncrepl
olcSyncrepl: olcSyncrepl: {0}rid=001 provider=ldap://ldap1.bpk2.com
binddn="replication_user" bind method=sasl saslmech=gssapi
searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5"
timeout=1
-
olcSyncrepl: olcSyncrepl: {1}rid=002 provider=ldap://ldap2.bpk2.com
binddn="replication_user" bind method=sasl saslmech=gssapi
searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5"
timeout=1
-
dn: dc=bpk2,dc=com
delete: olcSyncrepl
olcSyncrepl: {1}
-
delete: olcSyncrepl
olcSyncrepl: {0}
-
add: olcSyncrepl
olcSyncrepl: olcSyncrepl: {0}rid=001 provider=ldap://ldap1.bpk2.com
binddn="replication_user" bind method=sasl saslmech=gssapi
searchbase="dc=bpk2,dc=com" scope=sub schemachecking=off
type=refreshAndPersist retry="5 5 300 5" timeout=1
-
olcSyncrepl: olcSyncrepl: {0}rid=002 provider=ldap://ldap2.bpk2.com
binddn="replication_user" bind method=sasl saslmech=gssapi
searchbase="dc=bpk2,dc=com" scope=sub schemachecking=off
type=refreshAndPersist retry="5 5 300 5" timeout=1
-
does the "replication_user" ID need to be user@domain.tld or in some
other "qualified" format, or will just the id/name be ok? with the
above config to use sasl auth for replication, do i need to run k5start
for the tickets to be maintained for the replication_user? i dont want
to use authcid or authzid because of the requirement of the credentials
being in the config. i want no password to be in the configs. from
what i find, k5start is needed.
thanks in advance,
brendan