[Date Prev][Date Next] [Chronological] [Thread] [Top]

Multiple Slave LDAP Servers


Ok, so... I'm running into some issues trying to get my LDAP servers to behave correctly. So let me start off by explaining the setup I'm going for, and then go into the problem I'm running into. I have one server that's set to be a master. I have 2 slaves (soon to be more). So slaves will answer as ldap.ncsu.edu. Master answers as ldap-master.ncsu.edu. This is -not- their real hostnames, but a second ip address they answer as. I am using a Linux Virtual Server (www.linux-ha.org) Ldirector setup to send requests to the correct slave ldap server. (ldap-master is not behind LVS, it is a simple cname to the real name of the master server) Anyway, so here's the deal. Everything works fine -except- GSSAPI. I can do simple binds and everything. So, if I use ldapsearch -Y GSSAPI, I get the correct ldap/ldap.ncsu.edu key, but on the slave LDAP server I get:
Aug 8 00:19:57 uni02ds.unity.ncsu.edu slapd[15733]: [ID 668004 local4.debug] SASL [conn=110] Failure: GSSAPI Error: Miscellaneous failure (Wrong principal in request)
Aug 8 00:19:57 uni02ds.unity.ncsu.edu slapd[15733]: [ID 246281 local4.debug] send_ldap_result: conn=110 op=0 p=3
Aug 8 00:19:57 uni02ds.unity.ncsu.edu slapd[15733]: [ID 291653 local4.debug] send_ldap_result: err=49 matched="" text="SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context"

So... here's the question. How do I go about having replicated slave servers and yet still be able to use GSSAPI? Who else is doing replicated slave servers and GSSAPI and how are you going about it? Would a round-robin CNAME be a better route to go? The round-robin cnames are working just great. We've noticed that lots of other folk are using LDAP via LVS, but are any of you also using GSSAPI through LVS to LDAP? ;)


\ \\\      Daniel Henninger           http://www.vorpalcloud.org/        /// /
 \_\\\      North Carolina State University - Systems Programmer        ///_/
    \\\                   Information Technology <IT>                  ///