[authcid=] [authzid=]

Thu, 20 Feb 2025 07:16:24 -0800 

hi to all,
I like to split the replication for cn=config and the object-db between to different kerberos-principals so I did the following (so far) 
1. create to principals and a keytab for both of them.
2. configured k5start to get two different cchache files (one for each user) 
3. Now I want to change my syncrepl from:

---------------------------
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcSyncRepl
olcSyncRepl: rid=001
  provider=ldaps://provider01.example.net
  bindmethod=sasl
  saslmech=gssapi
  searchbase="cn=config"
  type=refreshAndPersist
  retry="5 5 100 +"
  timeout=1
  tls_reqcert=allow
olcSyncRepl: rid=002
  provider=ldaps://provider02.example.net
  bindmethod=sasl
  saslmech=gssapi
  searchbase="cn=config"
  type=refreshAndPersist
  retry="5 5 100 +"
  timeout=1
  tls_reqcert=allow
---------------------------
And

-----------------------------
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcSyncrepl
olcSyncrepl: rid=101
  provider=ldaps://provider01.example.net
  bindmethod=sasl
  saslmech=gssapi
  authzid=uid=krepl-main,cn=gssapi,cn=auth
  timeout=0
  network-timeout=0
  filter="(objectclass=*)"
  searchbase="dc=example,dc=net"
  scope=sub
  schemachecking=off
  type=refreshAndPersist
  retry="60 +"
  tls_reqcert=allow
olcSyncrepl: rid=102
  provider=ldaps://provider02.example.net
  bindmethod=sasl
  saslmech=gssapi
  authzid=uid=krepl-main,cn=gssapi,cn=auth
  timeout=0
  network-timeout=0
  filter="(objectclass=*)"
  searchbase="dc=example,dc=net"
  scope=sub
  schemachecking=off
  type=refreshAndPersist
  retry="60 +"
  keepalive=240:10:30
  tls_reqcert=allow
-----------------------------------

to use a different identity. I found the options
[authcid=<identity>]
[authzid=<identity>]

But nothing how to configure these options.

When I get the ticket for the user and do a ldapwhoami I'm getting
dn:uid=krepl-config,cn=gssapi,cn=auth
and
dn:uid=krepl-main,cn=gssapi,cn=auth

The DNs are:
[email protected],cn=EXAMPLE.NET,cn=kerberos,dc=example,dc=net

and
[email protected],cn=EXAMPLE.NET,cn=kerberos,dc=example,dc=net
So which option du I have to take and what is the right value for the option? 


Stefan

Attachment: OpenPGP_0x52F6D4DD1BB68AB5.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Reply via email to