Hi folks,
Thanks to Pierangelo's last reply, I now know what I suspected: that my consumer servers are configured to authenticate to their providers using SASL/GSSAPI, but that sometimes they don't do this, especially with proxy authorization. I've documented the entire install process:
* OpenLDAP provider with MIT Kerberos V on Debian squeeze http://www.rjsystems.nl/en/2100-d6-openldap-provider-kerberos.php
* OpenLDAP consumer with MIT Kerberos V on Debian squeeze http://www.rjsystems.nl/en/2100-d6-openldap-consumer-kerberos.php
The last time I followed these instructions to the letter, proxy authorization worked. Now I've booted up the same machines again a few days later and it no longer works: the consumer still uses SASL to bind with the provider for replication, but it uses a SIMPLE bind for proxy authorization. Of course that results in an error. Yet, the configuration seems unchanged.
Has anyone else experienced this problem?
Thanks,
Jaap
PS -- If anyone is interested, I can supply plenty of details. See also my post of 12/24/2010 03:25:51 AM CET with subject "No ProxyAuthz with SASL-GSSAPI?"