--On Sunday, July 28, 2024 7:09 PM -0700 Travis Bean tbean74@gmail.com wrote:
I developed a Bash script (https://launchpad.net/linuxha) to automate the installation and configuration of complex Linux software that is out of reach for most people. I want the syntax of this script to be perfect so I can use it as a teaching tool to educate people about Linux.
If anyone on this mailing list is knowledgeable about multi-master OpenLDAP with SASL/GSSAPI authentication, please review the OpenLDAP/SASL/GSSAPI code that is part of my LinuxHA script and provide feedback. Thank you.
I've used SASL/GSSAPI as a bind method at a few different sites. How to configure it is going to depend on how the database DIT is set up.
Just glancing at your script I see errors, such as:
SASL_MECH GSSAPI PLAIN
for ldap.conf. The man page clearly notes this takes a SINGLE mechanism.
Also, SASL/PLAIN is insecure and should never be used.
Generally these days I use Certificate based authentication (SASL/EXTERNAL).
Another note is that SASL/GSASPI is extremely dependent on valid hostname resolution. The pam ldap.conf seems unlikely to work (ldap://localhost for the URI).
I see so many things that are bad practice in this script in general I'm not going to spend any more time reviewing it.
--Quanah