[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: HA openldap-kerberos problem

To: dijuremo@math.gatech.edu, openldap-software@OpenLDAP.org
Subject: Re: HA openldap-kerberos problem
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Tue, 15 Mar 2005 11:15:08 -0800
Content-disposition: inline
In-reply-to: <20050315112341.bb0iihh7wgccgs0s@webmail.math.gatech.edu>
References: <20050315112341.bb0iihh7wgccgs0s@webmail.math.gatech.edu>

--On Tuesday, March 15, 2005 11:23 AM -0500 dijuremo@math.gatech.edu wrote:

Hi,

I have a master ldap server:  gandalf.ibb.gatech.edu
I have an alias ldap.ibb.gatech.edu that points to gandalf.ibb.gatech.edu

I have two servers configured with drbd and heartbeat that use a virtual
ip address to host services:
ibbstaff.ibb.gatech.edu  (10.0.0.15 virtual IP)
alias for nfs.ibb.gatech.edu that points to ibbstaff.ibb.gatech.edu
alias for samba.ibb.gatech.edu that points to ibbstaff.ibb.gatech.edu
alias for ldap2.ibb.gatech.edu that points to ibbstaff.ibb.gatech.edu
arwen.ibb.gatech.edu     (10.0.0.16) (Primary server)
aragorn.ibb.gatech.edu  (10.0.0.17) (Secondary server)

I have created ketyab files on both arwen and aragorn under:
/etc/openldap/keytabs/ldap.keytab that includes the principals:
For arwen:
ldap/arwen.ibb.gatech.edu
ldap/ibbstaff.ibb.gatech.edu
For aragorn:
ldap/arwen.ibb.gatech.edu
ldap/ibbstaff.ibb.gatech.edu

Aragorn should have:

ldap/aragorn.ibb.gatech.edu

You do not need the ldap/ibbstaff* keytabs.

I use a pool of 9 replicas and one master. 6 of the replica's are in an "ldap.stanford.edu" pool.

tribes:~> klist
Ticket cache: FILE:/tmp/krb5cc_54046_X18704
Default principal: quanah@stanford.edu

Valid starting     Expires            Service principal
03/15/05 11:12:58  03/16/05 12:12:58  krbtgt/stanford.edu@stanford.edu

tribes:~> lsearch uid=quanah uid
dn: uid=quanah,cn=Accounts,dc=Stanford,dc=edu
uid: quanah

dn: suRegID=85e49978f61311d2ae662436000baa77,cn=People,dc=Stanford,dc=edu
uid: quanah

tribes:~> klist
Ticket cache: FILE:/tmp/krb5cc_54046_X18704
Default principal: quanah@stanford.edu

Valid starting     Expires            Service principal
03/15/05 11:12:58  03/16/05 12:12:58  krbtgt/stanford.edu@stanford.edu
03/15/05 11:13:15  03/16/05 12:12:58  ldap/ldap6.stanford.edu@stanford.edu

ldap6:/afs/ir/users/q/u/quanah# klist -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 4 host/ldap6.stanford.edu@stanford.edu 5 ldap/ldap6.stanford.edu@stanford.edu

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

Follow-Ups:
- Re: HA openldap-kerberos problem
  - From: dijuremo@math.gatech.edu
- Re: HA openldap-kerberos problem
  - From: "Matthew J. Smith" <matt.smith@uconn.edu>

References:
- HA openldap-kerberos problem
  - From: dijuremo@math.gatech.edu

Prev by Date: Re: ldap load measuring and reproduction tools
Next by Date: Re: userpassword permissions
Index(es):
- Chronological
- Thread