hi to all,
I like to split the replication for cn=config and the object-db between to different kerberos-principals so I did the following (so far) 1. create to principals and a keytab for both of them. 2. configured k5start to get two different cchache files (one for each user) 3. Now I want to change my syncrepl from:
--------------------------- dn: olcDatabase={0}config,cn=config changetype: modify replace: olcSyncRepl olcSyncRepl: rid=001 provider=ldaps://provider01.example.net bindmethod=sasl saslmech=gssapi searchbase="cn=config" type=refreshAndPersist retry="5 5 100 +" timeout=1 tls_reqcert=allow olcSyncRepl: rid=002 provider=ldaps://provider02.example.net bindmethod=sasl saslmech=gssapi searchbase="cn=config" type=refreshAndPersist retry="5 5 100 +" timeout=1 tls_reqcert=allow --------------------------- And
----------------------------- dn: olcDatabase={2}mdb,cn=config changetype: modify replace: olcSyncrepl olcSyncrepl: rid=101 provider=ldaps://provider01.example.net bindmethod=sasl saslmech=gssapi authzid=uid=krepl-main,cn=gssapi,cn=auth timeout=0 network-timeout=0 filter="(objectclass=*)" searchbase="dc=example,dc=net" scope=sub schemachecking=off type=refreshAndPersist retry="60 +" tls_reqcert=allow olcSyncrepl: rid=102 provider=ldaps://provider02.example.net bindmethod=sasl saslmech=gssapi authzid=uid=krepl-main,cn=gssapi,cn=auth timeout=0 network-timeout=0 filter="(objectclass=*)" searchbase="dc=example,dc=net" scope=sub schemachecking=off type=refreshAndPersist retry="60 +" keepalive=240:10:30 tls_reqcert=allow -----------------------------------
to use a different identity. I found the options [authcid=<identity>] [authzid=<identity>]
But nothing how to configure these options.
When I get the ticket for the user and do a ldapwhoami I'm getting dn:uid=krepl-config,cn=gssapi,cn=auth and dn:uid=krepl-main,cn=gssapi,cn=auth
The DNs are: krbPrincipalName=krepl-krbPrincipalName=krepl-config@EXAMPLE.NET,cn=EXAMPLE.NET,cn=kerberos,dc=example,dc=net
and krbPrincipalName=krepl-main@EXAMPLE.NET,cn=EXAMPLE.NET,cn=kerberos,dc=example,dc=net
So which option du I have to take and what is the right value for the option?
Stefan