I'm trying to set up a replication server for LDAP using syncrepl. I would like to use Kerberos to authenticate the consumer, because we have it set up, and it seems more secure. The database definitions for my provider and consumer are below.
When I start the consumer, I get this error:
GSSAPI Error: Unspecified GSS failure. Minor code may provide more information
(Credentials cache file '/tmp/krb5cc_55' not found)
I think this means that the consumer doesn't have a valid TGT. How do I configure the consumer to get a valid TGT? I've read some older sources that recommend using k5start or a cron job. Is this still the way to do it?
The slapd.conf manual pages state that authcid
and authzid
can be used in conjunction with bindmethod=sasl
, but it doesn't specify how these should be formatted. Should I put a DN here or a kerberos principal or maybe something else? Do I need to specify these?
Thank you for your help
Consumer config:
database bdb
suffix "dc=example"
rootdn "uid=someuser,cn=realm,cn=gssapi,cn=auth"
directory /var/lib/ldap
dirtyread
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
syncrepl rid=1
provider=ldap://provider.realm
type=refreshAndPersist
starttls=yes
searchbase="dc=example"
schemachecking=off
bindmethod=sasl
saslmech=gssapi
retry="10 +"
Provider Config
database bdb
suffix "dc=example"
rootdn "uid=someuser,cn=realm,cn=gssapi,cn=auth"
directory /var/lib/ldap
dirtyread
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100