Dan,
Good catch! That did the trick! (This is what I get for reading the
format out of the docs instead of the logs... And not double-checking)
Thanks a bunch,
Steve
On 09/30/2014 02:09 PM, Dan White wrote:
On 09/30/14 13:14 -0400, Steven Presser wrote:
> I'm running a pair of OpenLDAP servers on a network which primarily
> uses kerberos for authentication. The two servers replicate data
> (via a simple syncrepl master-slave setup). Right now, they're using
> simple authentication. I'd like to move them to using kerberos
> authentication.
> Sep 30 13:11:09 hawking slapd[1620]: conn=1005 op=2 BIND
> dn="uid=ldap/mordor.pressers.name,cn=gssapi,cn=auth" mech=GSSAPI
> sasl_ssf=56 ssf=56
On 09/30/14 13:30 -0400, Steven Presser wrote:
> No; That bind DN is used only in simple authentication. I am
> maintaining them as separate accounts, for the time being. One of my
> ACLs is:
>
> access to *
> by dn.exact="cn=repl,dc=pressers,dc=name" read
> by dn.exact="uid=ldap/mordor.pressers.name,
> cn=pressers.name,cn=gssapi,cn=auth" read
Your line here does not match the identity from your logs.