Using X.509 (sasl external) is super easy (once you figure it out, like a lot of this stuff), and is nice because you are not relying on a KDC, and no passwords need displayed in your syncrepl configs.

From: brendan kearney <bpk678@gmail.com>

Sent: Friday, March 8, 2024 10:09 AM

To: Ben Poliakoff <benp@reed.edu>
Cc: mbalakri@opentext.com <mbalakri@opentext.com>; openldap-technical@openldap.org <openldap-technical@openldap.org>
Subject: Re: Configure replication without a plaintext password.

Ben,

I would like to use GSSAPI for my replication. Would you be willing to share how you went about it?

Thanks,

Brendan