list members,
i have separate olcRootDN's for cn=config and for dc=bpk2,dc=com (cn=config and cn=Manager,dc=bpk2,dc=com respectively) configured in slapd. i would like to change this so that the olcRootDN's are part of a DIT, and have their authentication managed via SASL or Kerberos. i am using the cn=config olcRootDN as the id for the n-way multimaster replication of both cn=config and olcDatabase for the hdb that has the dc=bpk2,dc=com tree in it. i believe the below will get the olcRootDN's confiured for an id contained in the DIT:
ldapmodify -QY EXTERNAL -H ldapi:/// dn: cn=config changetype: modify delete: olcRootDN olcRootDN: cn=config - add: olcRootDN olcRootDN: uid=root,cn=bpk2.com,cn=gssapi,cn=auth - delete: olcRootPW - dn: olcDatabase={2}hdb,cn=config changetype: modify delete: olcRootDN olcRootDN: cn=Manager,dc=bpk2,dc=com - add: olcRootDN olcRootDN: uid=root,cn=bpk2.com,cn=gssapi,cn=auth - delete: olcRootPW -
when performing the delete action, do i need to do both "delete: olcRootDN", and then specify "olcRootDN: cn=config"? since there is only one value, i would think it is unnecessary, but just want to check.
what are best practices around using a RootDN ID contained in a DIT? i would imagine using "root" is something to avoid. what suggestions are there around the RootDN id? what about using the RootDN id as the id for replication, when the bind method is sasl and the saslmech is gssapi? should a different id be used for replication?
i am using n-way multi master replication with credentials= specified in my configs. with the below, i plan to modify the id used to do the replication, as well as the authentication:
ldapmodify -QY EXTERNAL -H ldapi:/// dn: cn=config changetype: modify delete: olcSyncrepl olcSyncrepl: {1} - delete: olcSyncrepl olcSyncrepl: {0} - add: olcSyncrepl olcSyncrepl: olcSyncrepl: {0}rid=001 provider=ldap://ldap1.bpk2.com binddn="replication_user" bind method=sasl saslmech=gssapi searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 - olcSyncrepl: olcSyncrepl: {1}rid=002 provider=ldap://ldap2.bpk2.com binddn="replication_user" bind method=sasl saslmech=gssapi searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 - dn: dc=bpk2,dc=com delete: olcSyncrepl olcSyncrepl: {1} - delete: olcSyncrepl olcSyncrepl: {0} - add: olcSyncrepl olcSyncrepl: olcSyncrepl: {0}rid=001 provider=ldap://ldap1.bpk2.com binddn="replication_user" bind method=sasl saslmech=gssapi searchbase="dc=bpk2,dc=com" scope=sub schemachecking=off type=refreshAndPersist retry="5 5 300 5" timeout=1 - olcSyncrepl: olcSyncrepl: {0}rid=002 provider=ldap://ldap2.bpk2.com binddn="replication_user" bind method=sasl saslmech=gssapi searchbase="dc=bpk2,dc=com" scope=sub schemachecking=off type=refreshAndPersist retry="5 5 300 5" timeout=1 -
does the "replication_user" ID need to be user@domain.tld or in some other "qualified" format, or will just the id/name be ok? with the above config to use sasl auth for replication, do i need to run k5start for the tickets to be maintained for the replication_user? i dont want to use authcid or authzid because of the requirement of the credentials being in the config. i want no password to be in the configs. from what i find, k5start is needed.
thanks in advance,
brendan
openldap-technical@openldap.org