[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: GSSAPI and LVS Load balanced ldap servers
On 2/3/09 7:45 AM, Simon Wilkinson wrote:
On 3 Feb 2009, at 01:31, Frank Swasey wrote:
Yeah, that's my guess too of the current failure.
The problem is that both the client and the server must have a
matching idea of the service principal to use in establishing the
GSSAPI connection.
The client will use ldap/ldap.uvm.edu, as that's the only name it
knows the server by. However, the server will end up using
ldap/hostname() and therefore the two won't match, and you'll get
these errors.
There is a work around for this at the GSSAPI layer, which is to tell
the server to trust any principal that exists in the service's keytab.
Unfortunately, Cyrus SASL doesn't seem to expose a mechanism for doing
this, and so the only way to do so is via a code change to the SASL
library.
Thanks. I have been able to at least get it to work with
ldap/ldap.uvm.edu by setting the sasl-host argument in slapd.conf. So,
now I have reversed the failure mode. It works with
ldaps://ldap.uvm.edu and fails with ldaps://<realname>.uvm.edu. Which
is "OK" for my purposes.
I'd really like to be able to have both work, but perhaps cyrus-sasl
will change at some point in the future to support the kind of trickery
that really happens out here in the world.
--
Frank Swasey | http://www.uvm.edu/~fcs
Sr Systems Administrator | Always remember: You are UNIQUE,
University of Vermont | just like everyone else.
"I am not young enough to know everything." - Oscar Wilde (1854-1900)