hi to all,
I like to split the replication for cn=config and the object-db between to different kerberos-principals so I did the following (so far) 1. create to principals and a keytab for both of them. 2. configured k5start to get two different cchache files (one for each user) 3. Now I want to change my syncrepl from:
--------------------------- dn: olcDatabase={0}config,cn=config changetype: modify replace: olcSyncRepl olcSyncRepl: rid=001 provider=ldaps://provider01.example.net bindmethod=sasl saslmech=gssapi searchbase="cn=config" type=refreshAndPersist retry="5 5 100 +" timeout=1 tls_reqcert=allow olcSyncRepl: rid=002 provider=ldaps://provider02.example.net bindmethod=sasl saslmech=gssapi searchbase="cn=config" type=refreshAndPersist retry="5 5 100 +" timeout=1 tls_reqcert=allow --------------------------- And
----------------------------- dn: olcDatabase={2}mdb,cn=config changetype: modify replace: olcSyncrepl olcSyncrepl: rid=101 provider=ldaps://provider01.example.net bindmethod=sasl saslmech=gssapi authzid=uid=krepl-main,cn=gssapi,cn=auth timeout=0 network-timeout=0 filter="(objectclass=*)" searchbase="dc=example,dc=net" scope=sub schemachecking=off type=refreshAndPersist retry="60 +" tls_reqcert=allow olcSyncrepl: rid=102 provider=ldaps://provider02.example.net bindmethod=sasl saslmech=gssapi authzid=uid=krepl-main,cn=gssapi,cn=auth timeout=0 network-timeout=0 filter="(objectclass=*)" searchbase="dc=example,dc=net" scope=sub schemachecking=off type=refreshAndPersist retry="60 +" keepalive=240:10:30 tls_reqcert=allow -----------------------------------
to use a different identity. I found the options [authcid=<identity>] [authzid=<identity>]
But nothing how to configure these options.
When I get the ticket for the user and do a ldapwhoami I'm getting dn:uid=krepl-config,cn=gssapi,cn=auth and dn:uid=krepl-main,cn=gssapi,cn=auth
The DNs are: krbPrincipalName=krepl-krbPrincipalName=krepl-config@EXAMPLE.NET,cn=EXAMPLE.NET,cn=kerberos,dc=example,dc=net
and krbPrincipalName=krepl-main@EXAMPLE.NET,cn=EXAMPLE.NET,cn=kerberos,dc=example,dc=net
So which option du I have to take and what is the right value for the option?
Stefan
--On Thursday, February 20, 2025 4:16 PM +0100 Stefan Kania stefan@kania-online.de wrote:
hi to all,
I like to split the replication for cn=config and the object-db between to different kerberos-principals so I did the following (so far)
- create to principals and a keytab for both of them.
- configured k5start to get two different cchache files (one for each
user) 3. Now I want to change my syncrepl from:
Not clear to me how you tell syncrepl to use different ticket caches, which would be required.
--Quanah
With k5start you can create different ticket caches. I managed to get it working today I use: authcid = user@MY.REALM
Maybe it would be a good idea to put an example into the manpage for the two options authcid and authzid.
Am 21.02.25 um 21:11 schrieb Quanah Gibson-Mount:
--On Thursday, February 20, 2025 4:16 PM +0100 Stefan Kania stefan@kania-online.de wrote:
hi to all,
I like to split the replication for cn=config and the object-db between to different kerberos-principals so I did the following (so far)
- create to principals and a keytab for both of them.
- configured k5start to get two different cchache files (one for each
user) 3. Now I want to change my syncrepl from:
Not clear to me how you tell syncrepl to use different ticket caches, which would be required.
--Quanah
--On Friday, February 21, 2025 9:25 PM +0100 Stefan Kania stefan@kania-online.de wrote:
With k5start you can create different ticket caches. I managed to get it working today I use: authcid = user@MY.REALM
Maybe it would be a good idea to put an example into the manpage for the two options authcid and authzid.
Yeah I know all about k5start, I used to work with Russ.
My question was more how does slapd know which one to use... I always had to set the k5 ticket cache in the environment before starting slapd. Would love to see an example :)
--Quanah
I use this option
-U Rather than requiring the authentication principal be given on the command line, read it from the keytab specified with -f. The principal will be taken from the first entry in the keytab. -f must be specified if this option is used.
so my systemd-file, to start k5start, looks like this: ------------ [Unit] Description=k5start for generating tickets for ldap main-db replication After=syslog.target network.target
[Service] StartLimitInterval=5 StartLimitBurst=10 ExecStart=/usr/bin/k5start -k /tmp/krb5ccm_11 -m 600 -o openldap -g openldap -U -f /opt/symas/etc/openldap/krepl-main.keytab -K 10 -l 10h Restart=always RestartSec=120
[Install] WantedBy=multi-user.target
-----------
Am 21.02.25 um 23:42 schrieb Quanah Gibson-Mount:
--On Friday, February 21, 2025 9:25 PM +0100 Stefan Kania <stefan@kania- online.de> wrote:
With k5start you can create different ticket caches. I managed to get it working today I use: authcid = user@MY.REALM
Maybe it would be a good idea to put an example into the manpage for the two options authcid and authzid.
Yeah I know all about k5start, I used to work with Russ.
My question was more how does slapd know which one to use... I always had to set the k5 ticket cache in the environment before starting slapd. Would love to see an example :)
--Quanah
On Sat, Feb 22, 2025 at 09:10:24AM +0100, Stefan Kania wrote:
I use this option
-U Rather than requiring the authentication principal be given on the command line, read it from the keytab specified with -f. The principal will be taken from the first entry in the keytab. -f must be specified if this option is used.
Hi Stefan, I think what Quanah meant with his question was how would slapd (or rather the underlying krb5 library used by libsasl2) be able to decide which cache to use for which syncrepl client?
Thanks,
openldap-technical@openldap.org
-
Ondřej Kuzník -
Quanah Gibson-Mount -
Stefan Kania