[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: GSSAPI and LVS Load balanced ldap servers



On 2/3/09 7:45 AM, Simon Wilkinson wrote:

On 3 Feb 2009, at 01:31, Frank Swasey wrote:

Yeah, that's my guess too of the current failure.

The problem is that both the client and the server must have a matching idea of the service principal to use in establishing the GSSAPI connection.


The client will use ldap/ldap.uvm.edu, as that's the only name it knows the server by. However, the server will end up using ldap/hostname() and therefore the two won't match, and you'll get these errors.

There is a work around for this at the GSSAPI layer, which is to tell the server to trust any principal that exists in the service's keytab. Unfortunately, Cyrus SASL doesn't seem to expose a mechanism for doing this, and so the only way to do so is via a code change to the SASL library.
Thanks. I have been able to at least get it to work with ldap/ldap.uvm.edu by setting the sasl-host argument in slapd.conf. So, now I have reversed the failure mode. It works with ldaps://ldap.uvm.edu and fails with ldaps://<realname>.uvm.edu. Which is "OK" for my purposes.

I'd really like to be able to have both work, but perhaps cyrus-sasl will change at some point in the future to support the kind of trickery that really happens out here in the world.

--
Frank Swasey                    | http://www.uvm.edu/~fcs
Sr Systems Administrator        | Always remember: You are UNIQUE,
University of Vermont           |    just like everyone else.
 "I am not young enough to know everything." - Oscar Wilde (1854-1900)