use GSSAPI for LDAP-to-LDAP auth instead of SSL certs

[geofft]

LDAP replication authenticates over SSL certs. The problem with SSL certs is that they expire (also we have our own one-off CA for signing these certs). It would be great if we could use this nifty Kerberos thing for authenticating our LDAP servers to each other.

Last time we had an outage due to an expired cert, I got really really close to making GSSAPI authentication work, but it turns out that you can't modify an existing LDAPS replication agreement to turn into an LDAP-with-GSSAPI one, so you need to remove the replication agreement and create a new one, and for various complicated reasons I think the only way that we're really comfortable doing them is tearing down _all_ of the replication agreements at once, making GSSAPI work, and re-configuring replication anew with GSSAPI. This is a bit annoying.

We should first test that it will actually work, by setting up LDAP on two or three VMs and trying GSSAPI auth (with, like, ZONE realm principals).

Once we're comfortable with doing so, we should do this at a time (like, oh, early on a Sunday morning) when we can temporarily turn off account registrations and Pony so we don't have to deal with things needing to be replicated while we're breaking and recreating replication.

See the scripts-team thread "Re: failed scripts account setup" and zlogs of -c scripts -i ldap from May 2, 2010 for more background.

[adehnert]

We tried this. It turns out nobody uses GSSAPI or multimaster replication or LDAP or something, and 398DS (or whatever it's called this week) doesn't actually support it.