hi to all,
I like to split the replication for cn=config and the object-db between to different kerberos-principals so I did the following (so far) 1. create to principals and a keytab for both of them. 2. configured k5start to get two different cchache files (one for each user) 3. Now I want to change my syncrepl from:
--------------------------- dn: olcDatabase={0}config,cn=config changetype: modify replace: olcSyncRepl olcSyncRepl: rid=001 provider=ldaps://provider01.example.net bindmethod=sasl saslmech=gssapi searchbase="cn=config" type=refreshAndPersist retry="5 5 100 +" timeout=1 tls_reqcert=allow olcSyncRepl: rid=002 provider=ldaps://provider02.example.net bindmethod=sasl saslmech=gssapi searchbase="cn=config" type=refreshAndPersist retry="5 5 100 +" timeout=1 tls_reqcert=allow --------------------------- And
----------------------------- dn: olcDatabase={2}mdb,cn=config changetype: modify replace: olcSyncrepl olcSyncrepl: rid=101 provider=ldaps://provider01.example.net bindmethod=sasl saslmech=gssapi authzid=uid=krepl-main,cn=gssapi,cn=auth timeout=0 network-timeout=0 filter="(objectclass=*)" searchbase="dc=example,dc=net" scope=sub schemachecking=off type=refreshAndPersist retry="60 +" tls_reqcert=allow olcSyncrepl: rid=102 provider=ldaps://provider02.example.net bindmethod=sasl saslmech=gssapi authzid=uid=krepl-main,cn=gssapi,cn=auth timeout=0 network-timeout=0 filter="(objectclass=*)" searchbase="dc=example,dc=net" scope=sub schemachecking=off type=refreshAndPersist retry="60 +" keepalive=240:10:30 tls_reqcert=allow -----------------------------------
to use a different identity. I found the options [authcid=<identity>] [authzid=<identity>]
But nothing how to configure these options.
When I get the ticket for the user and do a ldapwhoami I'm getting dn:uid=krepl-config,cn=gssapi,cn=auth and dn:uid=krepl-main,cn=gssapi,cn=auth
The DNs are: krbPrincipalName=krepl-krbPrincipalName=krepl-config@EXAMPLE.NET,cn=EXAMPLE.NET,cn=kerberos,dc=example,dc=net
and krbPrincipalName=krepl-main@EXAMPLE.NET,cn=EXAMPLE.NET,cn=kerberos,dc=example,dc=net
So which option du I have to take and what is the right value for the option?
Stefan
--On Thursday, February 20, 2025 4:16 PM +0100 Stefan Kania stefan@kania-online.de wrote:
hi to all,
I like to split the replication for cn=config and the object-db between to different kerberos-principals so I did the following (so far)
- create to principals and a keytab for both of them.
- configured k5start to get two different cchache files (one for each
user) 3. Now I want to change my syncrepl from:
Not clear to me how you tell syncrepl to use different ticket caches, which would be required.
--Quanah
With k5start you can create different ticket caches. I managed to get it working today I use: authcid = user@MY.REALM
Maybe it would be a good idea to put an example into the manpage for the two options authcid and authzid.
Am 21.02.25 um 21:11 schrieb Quanah Gibson-Mount:
--On Thursday, February 20, 2025 4:16 PM +0100 Stefan Kania stefan@kania-online.de wrote:
hi to all,
I like to split the replication for cn=config and the object-db between to different kerberos-principals so I did the following (so far)
- create to principals and a keytab for both of them.
- configured k5start to get two different cchache files (one for each
user) 3. Now I want to change my syncrepl from:
Not clear to me how you tell syncrepl to use different ticket caches, which would be required.
--Quanah
--On Friday, February 21, 2025 9:25 PM +0100 Stefan Kania stefan@kania-online.de wrote:
With k5start you can create different ticket caches. I managed to get it working today I use: authcid = user@MY.REALM
Maybe it would be a good idea to put an example into the manpage for the two options authcid and authzid.
Yeah I know all about k5start, I used to work with Russ.
My question was more how does slapd know which one to use... I always had to set the k5 ticket cache in the environment before starting slapd. Would love to see an example :)
--Quanah
I use this option
-U Rather than requiring the authentication principal be given on the command line, read it from the keytab specified with -f. The principal will be taken from the first entry in the keytab. -f must be specified if this option is used.
so my systemd-file, to start k5start, looks like this: ------------ [Unit] Description=k5start for generating tickets for ldap main-db replication After=syslog.target network.target
[Service] StartLimitInterval=5 StartLimitBurst=10 ExecStart=/usr/bin/k5start -k /tmp/krb5ccm_11 -m 600 -o openldap -g openldap -U -f /opt/symas/etc/openldap/krepl-main.keytab -K 10 -l 10h Restart=always RestartSec=120
[Install] WantedBy=multi-user.target
-----------
Am 21.02.25 um 23:42 schrieb Quanah Gibson-Mount:
--On Friday, February 21, 2025 9:25 PM +0100 Stefan Kania <stefan@kania- online.de> wrote:
With k5start you can create different ticket caches. I managed to get it working today I use: authcid = user@MY.REALM
Maybe it would be a good idea to put an example into the manpage for the two options authcid and authzid.
Yeah I know all about k5start, I used to work with Russ.
My question was more how does slapd know which one to use... I always had to set the k5 ticket cache in the environment before starting slapd. Would love to see an example :)
--Quanah
openldap-technical@openldap.org
-
Quanah Gibson-Mount -
Stefan Kania