[24067] in Kerberos

home help back first fref pref prev next nref lref last post

Ldap replication and multiple realms

daemon@ATHENA.MIT.EDU (Manel Euro)
Mon Jun 13 08:00:00 2005

Message-ID: <BAY12-F307F4DFE2A0615FB654769CF00@phx.gbl>
From: "Manel Euro" <euro_32@hotmail.com>
To: kerberos@mit.edu
Date: Mon, 13 Jun 2005 11:59:02 +0000
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Errors-To: kerberos-bounces@mit.edu

Hello,

I have been able to configure  replication by using SASL-GSSAPI in my Realm.
However, I share my openldap directory with all sites of my company. Each 
site has its own realm so this brings some dificulties when configuring 
sasl-gssapi replication.

For now, I am just considering 2 realms (MIT-Kerberos):
A.BASE.COM
B.BASE.COM

The master slapd is on realm A.BASE.COM and the slave is on B.BASE.COM.
Each kerberos KDC trusts the other.

Here are the steps I have defined:

Master slapd (realm A.BASE.COM):
1- kadmin -q "ank -randkey ldap/master.base.com"
2- kadmin -q "ktadd ldap/master.base.com"
3- kadmin -r B.BASE.COM -p a/admin -q"ktadd -k/etc/krb5.keytab.slurpd 
replicator@B.BASE.COM" (same line)
4- Edit slapd.conf file and insert replication information


Note: The master and slave have each a sasl-regexp to convert  
uid=replica,cn=B.BASE.COM,cn=gssapi,cn=auth to cn=replica,dc=base,dc=com

Slave slapd (realm B.BASE.COM):
1- kadmin -q "ank replicator@B.BASE.COM"
2- Edit slapd.conf and insert:
rootdn  "cn=replica,dc=base,dc=com"
updatedn "cn=replica,dc=base,dc=com"
updateref  ldap://master.base.com

I know that I am  missing the following steps:
0- kadmin -q "ank -randkey ldap/slave.base.com"
0.1- kadmin -q "ktadd ldap/slave.base.com"
but I donīt know in wich Realm I should create the slave. Can one machine 
have services in two realms? Can I have in the same keytab services key for 
different realms?

I have been working for two weeks on this without success. Has anyone have 
ever done something like this?

Do I need to *create a BASE.COM realm* to put the ldap servers?

Best regards,

M.

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
home help back first fref pref prev next nref lref last post