Erich- You will need to use the keytab to fetch a TGT for the user account under which the OpenLDAP server is running. Either a cron-job running kinit, or k5start (first Google hit: http://www.eyrie.org/~eagle/software/kstart/k5start.html ) should do the trick. Assuming you are using SyncRepl, you will need to do this on each slave LDAP server.
HTH, -Matt On Wed, 2006-07-12 at 15:58 -0700, Erich Weiler wrote: > Hi all- > > I've got a working OpenLDAP server (and a working Kerberos server) and > I'd like to set up a replication server or two for the OpenLDAP server. > I read the documentation on setting up a replication server and it > doesn't look too tough IF you use 'simple' password authentication > between the servers (like 'bindmethod=simple credentials=secret' in > slapd.conf under the 'replica' heading). > > But I'd like to not have the password in clear text in the slapd.conf > file and use GSSAPI for slave server authentication instead. I'm > assuming I need a replica entry that looks something like this: > > replica host=ldapmaster.domain.com:389 starttls=critical > bindmethod=sasl saslmech=GSSAPI > authcId=host/[EMAIL PROTECTED] > > but I'm not sure where to go from there.... on my KDC (which happens to > be the same machine as my master OpenLDAP server) I've made these > principals: > > ldap/[EMAIL PROTECTED] > ldap/[EMAIL PROTECTED] > > I've also added both those to the keytab file on the master, then copied > that keytab file to the slave. I guess I'm just not exactly sure how to > get SASL working with this... I have SASL installed on all the machines > in question but I'm having a hard time find a HOW-TO or something on > where to go from here... > > Does anyone have any pointers on how to do this? Or where I could find > some quick, down and dirty instructions? > > Or... Could I do it without SASL altogether, and somehow tell slapd to > compare krb5.keytab files on the master and the slave to authenticate? > Or do some other kind of "public/private" key pair thing to authenticate > the slave to the master? > > Thanks a million in advance!! > > -erich
