LDAP replication with Kerberos auth and k5start

by Juliet Kemp

I run LDAP + Kerberos on my network for information and authentication. After setting everything up initially, I later acquired a spare machine and decided to run it as a slave LDAP server, using slurpd.

Executive summary: if trying to use two different Kerberos-authenticated users at the same time, you need to set the KRB5CCNAME value accordingly. Details follow...


1 Comments

sahan
2007-03-06 15:28:46
KRB5CCNAME="FILE:/tmp/ldap_replicator.tkt"
export KRB5CCNAME


.....


start_slurpd() {
if [ "$SLURPD_START" != yes ]; then
return 0
fi
echo -n " slurpd"
reason="`start-stop-daemon --start --quiet --oknodo \
--exec /usr/sbin/slurpd -- $SLURPD_OPTIONS 2>&1`"
echo -n " k5start"
# Start kstart in order to manage replication
reason_kstart="`start-stop-daemon --start --pidfile \
/var/run/k5start.pid \
--exec /usr/bin/k5start -- -b -K 10 \
-k /tmp/ldap_replicator.tkt \
-p /var/run/k5start.pid \
-f /etc/ldap/slurpd.keytab rep_adm`"
}