[Date Prev][Date Next] [Chronological] [Thread] [Top]

GSSAPI, multiple aliases

To: openldap-software@OpenLDAP.org
Subject: GSSAPI, multiple aliases
From: "Matthew J. Smith" <matt.smith@uconn.edu>
Date: Mon, 20 Sep 2004 13:16:46 -0400
Organization: University of Connecticut ITS

All-
  I may be misunderstanding the process a bit, but could someone tell me
if I am approaching this correctly?  I apologize for the verboseness,
but I am striving for accuracy.

  I am using OpenLDAP 2.2.15.  My goal is to have a primary LDAP server
'ldap1.sub.domain' and a replica server 'ldap2.sub.domain', with public
alias 'ldap.domain' that customers use (pointing to ldap1), all FQDNs
providing GSSAPI and simple binds (via saslauthd + userPassword:
{SASL}...), and syncRepl replication (ldap1->ldap2) using GSSAPI for
authZ.  If ldap1 fails, the 'ldap.domain' FQDN will be pointed to ldap2
(my 'standby' server).

  I have most of this working, except GSSAPI via 'ldap.domain'.  ldap1
and ldap2 each have a private (10.x.y.z) IP, and an associated (forward
A and reverse PTR) FQDN ('ldap1.sub.domain' and 'ldap2.sub.domain'). 
ldap1 also has a public IP (N.N.y.z) with an associated (forward and
reverse) FQDN 'ldap.domain'.  Note that this is not a CNAME, but rather
another IP with an A and PTR record.

  I have installed a keytab on ldap1 for ldap/ldap1.sub.domain and
ldap/ldap.domain (and similar on ldap2).  This keytab is functional and
recognized as GSSAPI does work when accessing 'ldap1.sub.domain', and
saslauthd can correctly authenticate simple binds against either FQDN. 
I can also use this keytab to kinit both principals, so I know both keys
are valid.  I also have syncRepl working very well, using GSSAPI.  The
only missing functionality is GSSAPI against 'ldap.domain'.

  I was hoping that when I connected to <HOSTNAME>, the LDAP service
would look into it's keytab (defined with a KRB5_KTNAME setting in the
startup script, but I have also tried the default krb5.keytab with no
luck) for the ldap/<HOSTNAME> princ, such that a request to either FQDN
would find and use the correct princ in the keytab.  Could someone
confirm that my assumption here is wrong?   Connecting to 'ldap.domain'
gives me the following in the logs:

SASL [conn=114] Failure: GSSAPI Error:  Miscellaneous failure (see text)
(Decrypt integrity check failed)

conn=114 op=2 RESULT tag=97 err=49 text=SASL(-13): authentication
failure: GSSAPI Failure: gss_accept_sec_context


Am I approaching this wrong?  Is there a better way to associate
multiple FQDNs with an OpenLDAP server, such that all FQDNs support
GSSAPI?  Or am I completely off my rocker here?

Thank you for any insight,
-Matt

-- 
Matthew J. Smith <matt.smith@uconn.edu>
University of Connecticut ITS
PGP Key: http://web.uconn.edu/dotmatt/matt.asc

Follow-Ups:
- Re: GSSAPI, multiple aliases
  - From: Donn Cave <donn@u.washington.edu>
- Re: GSSAPI, multiple aliases
  - From: "Matthew J. Smith" <matt.smith@uconn.edu>

Prev by Date: back-sql performance problem workaround
Next by Date: Re: Outlook sees group, but no addresses show up.
Index(es):
- Chronological
- Thread