Dan,
Good catch! That did the trick! (This is what I get for reading the format out of the docs instead of the logs... And not double-checking)
Thanks a bunch, Steve
On 09/30/2014 02:09 PM, Dan White wrote:
On 09/30/14 13:14 -0400, Steven Presser wrote:
I'm running a pair of OpenLDAP servers on a network which primarily uses kerberos for authentication. The two servers replicate data (via a simple syncrepl master-slave setup). Right now, they're using simple authentication. I'd like to move them to using kerberos authentication.
Sep 30 13:11:09 hawking slapd[1620]: conn=1005 op=2 BIND dn="uid=ldap/mordor.pressers.name,cn=gssapi,cn=auth" mech=GSSAPI sasl_ssf=56 ssf=56
On 09/30/14 13:30 -0400, Steven Presser wrote:
No; That bind DN is used only in simple authentication. I am maintaining them as separate accounts, for the time being. One of my ACLs is:
access to * by dn.exact="cn=repl,dc=pressers,dc=name" read by dn.exact="uid=ldap/mordor.pressers.name, cn=pressers.name,cn=gssapi,cn=auth" read
Your line here does not match the identity from your logs.