--On Wednesday, August 30, 2006 10:19 AM -0400 "Allan E. Johannesen" <[EMAIL PROTECTED]> wrote:
I've been using rootdn passwords over TLS with slurpd and since switching to syncrepl. Seeing a posting by Quanah Gibson-Mount <[EMAIL PROTECTED]> some weeks ago about k5start and KRB5CCNAME, I was inspired to try to make the switch. I grabbed kstart-3.5 and installed it and installed a sasl-regexp in the LDAP master:
So far, everything looks good. An update went through and the ldap ticket was established. However, after the ticket expires, a subsequent update does not take place and a new ldap ticket isn't obtained.
I'd take a look at why you haven't set up kstart to continually refresh the ticket, so that it never expires... That's part of the point of using it.
See daemontools. Here is the ticket I use with daemontools to continually keep the K5 ticket active.
#!/bin/sh # /service/k5start/run -- Run kstart to maintain our ticket for LDAP binds. # $Id: run,v 1.2 2006/08/03 20:02:07 quanah Exp $ HOSTNAME=`hostname` exec /usr/bin/k5start -u ldap -i $HOSTNAME -r stanford.edu \ -f /etc/krb5.keytab -k /var/run/ldap_syncreplica.tkt -l 10h -K 30 --Quanah -- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
