Re: Syncrepl authentication via GSSAPI/SASL/Kerberos

On 09/30/14 13:14 -0400, Steven Presser wrote: > I'm running a pair of OpenLDAP servers on a network which primarily > uses kerberos for authentication. The two servers replicate data > (via a simple syncrepl master-slave setup). Right now, they're using > simple authentication. I'd like to move them to using kerberos > authentication. > Sep 30 13:11:09 hawking slapd[1620]: conn=1005 op=2 BIND > dn="uid=ldap/mordor.pressers.name,cn=gssapi,cn=auth" mech=GSSAPI > sasl_ssf=56 ssf=56 On 09/30/14 13:30 -0400, Steven Presser wrote: > No; That bind DN is used only in simple authentication. I am > maintaining them as separate accounts, for the time being. One of my > ACLs is: > > access to * > by dn.exact="cn=repl,dc=pressers,dc=name" read > by dn.exact="uid=ldap/mordor.pressers.name, > cn=pressers.name,cn=gssapi,cn=auth" read Your line here does not match the identity from your logs.