Re: Syncrepl authentication via GSSAPI/SASL/Kerberos
--On Tuesday, September 30, 2014 2:30 PM -0400 Steven Presser
<steve(a)pressers.name> wrote:
No; That bind DN is used only in simple authentication. I am
maintaining
them as separate accounts, for the time being. One of my ACLs is:
access to *
by dn.exact="cn=repl,dc=pressers,dc=name" read
by dn.exact="uid=ldap/mordor.pressers.name,
cn=pressers.name,cn=gssapi,cn=auth" read
by * break
Which I think ought to cover the permissions required pretty well. As you
can see, they have identical permissions.
Also, I just noticed an error introduced by copy-paste in my last email.
In both configs there is a floating "i" on the searchbase line. That
"i"
belongs at the end of "GSSAP" on the saslmech line.
Ok, well, without having your full configs available (minus passwords), one
can only make guesses. ;)
I would start with binding as that ID using ldapwhoami, then move on to
ldapsearch, etc, and verify all of that works as expected.
--Quanah
--
Quanah Gibson-Mount
Server Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration