[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Syncrepl authentication via GSSAPI/SASL/Kerberos

To: Quanah Gibson-Mount <quanah@zimbra.com>, openldap-technical@openldap.org
Subject: Re: Syncrepl authentication via GSSAPI/SASL/Kerberos
From: Steven Presser <steve@pressers.name>
Date: Tue, 30 Sep 2014 13:30:06 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pressers.name; s=google; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type; bh=nK650P7TPBnqLxSGeenmh0K0JsjCtp2SqwBn3G+g+PA=; b=fHQoHn/W9U0CO89wZ3Xp4+VF3kaDj5JXkUZ1Lk10UVtpk8vXTx4Pv4FhghrRxTejcS 4JulKYLyjcbcNKDT/5Ih8ebt8GPbJqqLr6/m8OuKde48xbz6dSI+Brup+S8yBQhO2WwD 4RuQ4cKU055c1se9WJcdBZ8Xa/bz63yuM4fhc=
In-reply-to: <867B53CDDEB28C9FA676BC6C@[192.168.1.61]>
References: <542AE4E6.2050402@pressers.name> <867B53CDDEB28C9FA676BC6C@[192.168.1.61]>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.0

No; That bind DN is used only in simple authentication. I ammaintaining them as separate accounts, for the time being. One of myACLs is:


access to *
        by dn.exact="cn=repl,dc=pressers,dc=name" read

by dn.exact="uid=ldap/mordor.pressers.name,cn=pressers.name,cn=gssapi,cn=auth" read

        by * break

Which I think ought to cover the permissions required pretty well. Asyou can see, they have identical permissions.

Also, I just noticed an error introduced by copy-paste in my lastemail. In both configs there is a floating "i" on the searchbase line.That "i" belongs at the end of "GSSAP" on the saslmech line.


Thanks,
Steve


On 09/30/2014 01:22 PM, Quanah Gibson-Mount wrote:

--On Tuesday, September 30, 2014 2:14 PM -0400 Steven Presser<steve@pressers.name> wrote:
Hi,

I'm running a pair of OpenLDAP servers on a network which primarily uses
kerberos for authentication.  The two servers replicate data (via a
simple syncrepl master-slave setup).  Right now, they're using simple
authentication.  I'd like to move them to using kerberos authentication.

I've successfully gotten them to the point where the kerberos
authentication (appears) to succeed. However, replication doesn'thappenwith the mysterious error "findbase failed! 32". I have found nomention
of this error, other than a couple of permissions-related errors.  I
double-checked my permissions, so it's not that.

I've copied relevant portions of my slapd.conf below and would be happy
to provide more if required.  I also have a syslog excerpt below.
Does anyone know what I should be looking at next or have an exampleof a
functional setup similar to what I've described?
It doesn't look like you've set up SASL regexp's correctly or youdidn't define your ACLs correctly for the SASL bind ID:
Sep 30 13:11:09 hawking slapd[1620]: conn=1005 op=2 BINDauthcid="ldap/mordor.pressers.name" authzid="ldap/mordor.pressers.name"Sep 30 13:11:09 hawking slapd[1620]: conn=1005 op=2 BINDdn="uid=ldap/mordor.pressers.name,cn=gssapi,cn=auth" mech=GSSAPIsasl_ssf=56 ssf=56
As you can see, your replication DN was:

       binddn="cn=repl,dc=pressers,dc=name"

--Quanah



--

Quanah Gibson-Mount
Server Architect
Zimbra, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Follow-Ups:
- Re: Syncrepl authentication via GSSAPI/SASL/Kerberos
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

References:
- Syncrepl authentication via GSSAPI/SASL/Kerberos
  - From: Steven Presser <steve@pressers.name>
- Re: Syncrepl authentication via GSSAPI/SASL/Kerberos
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: Re: Syncrepl authentication via GSSAPI/SASL/Kerberos
Next by Date: Re: Syncrepl authentication via GSSAPI/SASL/Kerberos
Index(es):
- Chronological
- Thread