Re: GSSAPI and LVS Load balanced ldap servers

[Francis Swasey <Frank.Swasey@uvm.edu>]

On 2/3/09 7:45 AM, Simon Wilkinson wrote:
> On 3 Feb 2009, at 01:31, Frank Swasey wrote:
> > Yeah, that's my guess too of the current failure.
>
> The problem is that both the client and the server must have a 
> matching idea of the service principal to use in establishing the 
> GSSAPI connection.
>
> The client will use ldap/ldap.uvm.edu, as that's the only name it 
> knows the server by. However, the server will end up using 
> ldap/hostname() and therefore the two won't match, and you'll get 
> these errors.
>
> There is a work around for this at the GSSAPI layer, which is to tell 
> the server to trust any principal that exists in the service's keytab. 
> Unfortunately, Cyrus SASL doesn't seem to expose a mechanism for doing 
> this, and so the only way to do so is via a code change to the SASL 
> library.
Thanks.  I have been able to at least get it to work with 
ldap/ldap.uvm.edu by setting the sasl-host argument in slapd.conf.  So, 
now I have reversed the failure mode.  It works with 
ldaps://ldap.uvm.edu and fails with ldaps://<realname>.uvm.edu.  Which 
is "OK" for my purposes.

I'd really like to be able to have both work, but perhaps cyrus-sasl 
will change at some point in the future to support the kind of trickery 
that really happens out here in the world.

--
Frank Swasey                    | http://www.uvm.edu/~fcs
Sr Systems Administrator        | Always remember: You are UNIQUE,
University of Vermont           |    just like everyone else.
 "I am not young enough to know everything." - Oscar Wilde (1854-1900)