Dan,Good catch! That did the trick! (This is what I get for reading the format out of the docs instead of the logs... And not double-checking)
Thanks a bunch, Steve On 09/30/2014 02:09 PM, Dan White wrote:
On 09/30/14 13:14 -0400, Steven Presser wrote:I'm running a pair of OpenLDAP servers on a network which primarily uses kerberos for authentication. The two servers replicate data (via a simple syncrepl master-slave setup). Right now, they're using simple authentication. I'd like to move them to using kerberos authentication.Sep 30 13:11:09 hawking slapd[1620]: conn=1005 op=2 BIND dn="uid=ldap/mordor.pressers.name,cn=gssapi,cn=auth" mech=GSSAPI sasl_ssf=56 ssf=56On 09/30/14 13:30 -0400, Steven Presser wrote:No; That bind DN is used only in simple authentication. I am maintaining them as separate accounts, for the time being. One of my ACLs is:access to * by dn.exact="cn=repl,dc=pressers,dc=name" readby dn.exact="uid=ldap/mordor.pressers.name, cn=pressers.name,cn=gssapi,cn=auth" readYour line here does not match the identity from your logs.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature