Hi,
I have been migrating my OpenLDAP 2.3 slapd.conf configuration to a 2.4 slapd.d
replacement. Previously I had a single master and two slaves but I have moved
it to multi-master with a replicated cn=config and database. I am using Sasl
and Heimdal Kerberos with the principles stored in the ldap database.
I have managed to almost complete this but I'm now stuck on the following
point, I can only get GSSAPI LDAP authentication to work on the host whose name
is equal to the value of olcSaslHost. As I have 3 masters and a replicated
cn=config this can only be true on one host at a time. i.e.
olcSaslHost: ldap1.my.domain
ldapsearch -H ldaps://ldap1.my.domain -Y GSSAPI = works
ldapsearch -H ldaps://ldap2.my.domain -Y GSSAPI = fails
ldapsearch -H ldaps://ldap3.my.domain -Y GSSAPI = fails
update olcSaslHost to ldap2.my.domain
ldapsearch -H ldaps://ldap1.my.domain -Y GSSAPI = fails
ldapsearch -H ldaps://ldap2.my.domain -Y GSSAPI = works
ldapsearch -H ldaps://ldap3.my.domain -Y GSSAPI = fails
I tried setting olcSaslHost to localhost but then none work so I assume the
olcSaslHost value is being used to build a Kerberos principle. Am I missing a
trick or do I have to stop replicating cn=config in order to make it work on
all 3? I can post configuration files if this will help.
Thanks,
James
This message and the information contained herein is proprietary and
confidential and subject to the Amdocs policy statement,
you may review at http://www.amdocs.com/email_disclaimer.asp
