[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: GSSAPI and LVS Load balanced ldap servers

To: Frank Swasey <Frank.Swasey@uvm.edu>, OpenLDAP-Software@openldap.org
Subject: Re: GSSAPI and LVS Load balanced ldap servers
From: Quanah Gibson-Mount <quanah@zimbra.com>
Date: Tue, 03 Feb 2009 08:36:43 -0800
Content-disposition: inline
In-reply-to: <alpine.A41.2.00.0902022028010.540688@jncvgv.hiz.rqh>
References: <498753D5.3070009@uvm.edu> <6A31062859C47F9493762EFA@[192.168.1.199]> <alpine.A41.2.00.0902022028010.540688@jncvgv.hiz.rqh>

--On Monday, February 02, 2009 8:31 PM -0500 Frank Swasey <Frank.Swasey@uvm.edu> wrote:

Today at 4:16pm, Quanah Gibson-Mount wrote:

--On Monday, February 02, 2009 3:13 PM -0500 Francis Swasey
<Frank.Swasey@uvm.edu> wrote:

We've finally reached the point in replacing our old authentication
system that I'm attempting to get GSSAPI working with our ldap.uvm.edu
system.


Good luck. :)  The only way I ever got this working was via software
load  balancing on round-robin DNS, where the virtual name would resolve
to the  actual host.


LVS is a software load balancer.  What software load balancer did you use
that also used DNS round-robin (or am I completely confused in my
understanding of what you just wrote)?


Something custom that stanford wrote. ;)

<http://www.eyrie.org/~eagle/software/lbcd/>

But what it doesn't do is make use the LB name when it does the actual bind, as it gets translated into the real host.

Fresh ticket cache:

tribes:~> klist
Ticket cache: FILE:/tmp/krb5cc_54046
Default principal: quanah@stanford.edu

Valid starting     Expires            Service principal
02/03/09 08:33:09  02/04/09 09:33:07  krbtgt/stanford.edu@stanford.edu
02/03/09 08:33:09  02/04/09 09:33:07  afs/ir.stanford.edu@stanford.edu


Kerberos 4 ticket cache: /tmp/tkt54046
klist: You have no tickets cached


ldapsearch:

tribes:~> ldapsearch -h ldap1 uid=quanah uid
SASL/GSSAPI authentication started
SASL username: quanah@stanford.edu
SASL SSF: 56
SASL installing layers
...


Now the ticket cache has ldap/ldap1:
tribes:~> klist
Ticket cache: FILE:/tmp/krb5cc_54046
Default principal: quanah@stanford.edu

Valid starting     Expires            Service principal
02/03/09 08:33:09  02/04/09 09:33:07  krbtgt/stanford.edu@stanford.edu
02/03/09 08:33:09  02/04/09 09:33:07  afs/ir.stanford.edu@stanford.edu
02/03/09 08:33:59  02/04/09 09:33:07  ldap/ldap1.stanford.edu@stanford.edu


Kerberos 4 ticket cache: /tmp/tkt54046
klist: You have no tickets cached

And here's the actual record for ldap.stanford.edu:

tribes:~> host -t txt ldap
ldap.Stanford.EDU       CNAME   ldap.best.Stanford.EDU
ldap.best.Stanford.EDU  TXT     "    150/1.000  ldap3.stanford.edu"
!!! ldap.best.Stanford.EDU TXT record has zero ttl
ldap.best.Stanford.EDU  TXT     "    150/1.000  ldap1.stanford.edu"
!!! ldap.best.Stanford.EDU TXT record has zero ttl
ldap.best.Stanford.EDU  TXT     "    150/1.000  ldap4.stanford.edu"
!!! ldap.best.Stanford.EDU TXT record has zero ttl
ldap.best.Stanford.EDU  TXT     "    120/1.000  ldap2.stanford.edu"
!!! ldap.best.Stanford.EDU TXT record has zero ttl


--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

References:
- GSSAPI and LVS Load balanced ldap servers
  - From: Francis Swasey <Frank.Swasey@uvm.edu>
- Re: GSSAPI and LVS Load balanced ldap servers
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: GSSAPI and LVS Load balanced ldap servers
  - From: Frank Swasey <Frank.Swasey@uvm.edu>

Prev by Date: Re: GSSAPI and LVS Load balanced ldap servers
Next by Date: Re: stable version 2.3
Index(es):
- Chronological
- Thread