[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: HA openldap-kerberos problem



Quanah Gibson-Mount wrote:



--On Wednesday, March 16, 2005 10:03 AM -0500 dijuremo@math.gatech.edu wrote:

Hi,

Isn't it possible that this is a feature that needs to be added to the
openldap software. Check all the available ldap/fqdn enties in the
keytab,
check how the request comes (which interface) and then use the appropriate
ldap/fqdn entry?


I have no idea how slapd with gssapi authentication works internally (how
it
decides which keytab to use or how it finds the machine's hostname), but
maybe the persons writing the code can actually say if it is possible to
add this capability to slapd so that you can have one server with two/more
interfaces hosting openldap data even if the interfaces resolve to
different hostnames.


This very same problem is present with nfs-utils and I have addressed this
concern to the CITI project people. They say they will look into adding
support for this to nfs4 on a server that has multiple interfaces with
different host names and keytab entries. This is why I would like the
openldap experts to answer if this may be added to the openldap software
or
if it can/should be done in a different way.


I do not think changing your hostname on your server, when it takes over
with hearbeat is a clean solution, I consider it a workaround.


Diego,

This isn't an OpenLDAP issue. This is the way that Kerberos and SASL works. If you feel this is in error, please contact the appropriate developers of those products.

More specifically, slapd doesn't know anything about Kerberos or any keytab, it just uses generic SASL library calls. SASL doesn't know anything about Kerberos either, it just has a GSSAPI plugin that uses generic calls. In general, GSSAPI doesn't know anything about it either, that's a detail that is buried inside a particular GSSAPI mechanism. So the only place this can be fixed is in the Kerberos implementation itself, and it needs to be automatic in order for GSSAPI and everything above it to work.


--
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support