[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: GSSAPI and LVS Load balanced ldap servers

To: Frank Swasey <Frank.Swasey@uvm.edu>
Subject: Re: GSSAPI and LVS Load balanced ldap servers
From: Simon Wilkinson <simon@sxw.org.uk>
Date: Tue, 3 Feb 2009 12:45:00 +0000
Cc: OpenLDAP-Software@openldap.org
In-reply-to: <alpine.A41.2.00.0902022028010.540688@jncvgv.hiz.rqh>
References: <498753D5.3070009@uvm.edu> <6A31062859C47F9493762EFA@[192.168.1.199]> <alpine.A41.2.00.0902022028010.540688@jncvgv.hiz.rqh>

On 3 Feb 2009, at 01:31, Frank Swasey wrote:

Yeah, that's my guess too of the current failure.

The problem is that both the client and the server must have a matching idea of the service principal to use in establishing the GSSAPI connection.

The client will use ldap/ldap.uvm.edu, as that's the only name it knows the server by. However, the server will end up using ldap/ hostname() and therefore the two won't match, and you'll get these errors.

There is a work around for this at the GSSAPI layer, which is to tell the server to trust any principal that exists in the service's keytab. Unfortunately, Cyrus SASL doesn't seem to expose a mechanism for doing this, and so the only way to do so is via a code change to the SASL library.

S.

Follow-Ups:
- Re: GSSAPI and LVS Load balanced ldap servers
  - From: Francis Swasey <Frank.Swasey@uvm.edu>

References:
- GSSAPI and LVS Load balanced ldap servers
  - From: Francis Swasey <Frank.Swasey@uvm.edu>
- Re: GSSAPI and LVS Load balanced ldap servers
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: GSSAPI and LVS Load balanced ldap servers
  - From: Frank Swasey <Frank.Swasey@uvm.edu>

Prev by Date: stable version 2.3
Next by Date: 2.4.13 slapacl strange behavior
Index(es):
- Chronological
- Thread