Ldap replication and multiple realms

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Ldap replication and multiple realms

Manel Euro
Hello,

I have been able to configure  replication by using SASL-GSSAPI in my Realm.
However, I share my openldap directory with all sites of my company. Each
site has its own realm so this brings some dificulties when configuring
sasl-gssapi replication.

For now, I am just considering 2 realms (MIT-Kerberos):
A.BASE.COM
B.BASE.COM

The master slapd is on realm A.BASE.COM and the slave is on B.BASE.COM.
Each kerberos KDC trusts the other.

Here are the steps I have defined:

Master slapd (realm A.BASE.COM):
1- kadmin -q "ank -randkey ldap/master.base.com"
2- kadmin -q "ktadd ldap/master.base.com"
3- kadmin -r B.BASE.COM -p a/admin -q"ktadd -k/etc/krb5.keytab.slurpd
[hidden email]" (same line)
4- Edit slapd.conf file and insert replication information


Note: The master and slave have each a sasl-regexp to convert  
uid=replica,cn=B.BASE.COM,cn=gssapi,cn=auth to cn=replica,dc=base,dc=com

Slave slapd (realm B.BASE.COM):
1- kadmin -q "ank [hidden email]"
2- Edit slapd.conf and insert:
rootdn  "cn=replica,dc=base,dc=com"
updatedn "cn=replica,dc=base,dc=com"
updateref  ldap://master.base.com

I know that I am  missing the following steps:
0- kadmin -q "ank -randkey ldap/slave.base.com"
0.1- kadmin -q "ktadd ldap/slave.base.com"
but I donĀ“t know in wich Realm I should create the slave. Can one machine
have services in two realms? Can I have in the same keytab services key for
different realms?

I have been working for two weeks on this without success. Has anyone have
ever done something like this?

Do I need to *create a BASE.COM realm* to put the ldap servers?

Best regards,

M.

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos