[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
HA openldap-kerberos problem
Hi,
I have a master ldap server: gandalf.ibb.gatech.edu
I have an alias ldap.ibb.gatech.edu that points to gandalf.ibb.gatech.edu
I have two servers configured with drbd and heartbeat that use a virtual ip
address to host services:
ibbstaff.ibb.gatech.edu (10.0.0.15 virtual IP)
alias for nfs.ibb.gatech.edu that points to ibbstaff.ibb.gatech.edu
alias for samba.ibb.gatech.edu that points to ibbstaff.ibb.gatech.edu
alias for ldap2.ibb.gatech.edu that points to ibbstaff.ibb.gatech.edu
arwen.ibb.gatech.edu (10.0.0.16) (Primary server)
aragorn.ibb.gatech.edu (10.0.0.17) (Secondary server)
I have created ketyab files on both arwen and aragorn under:
/etc/openldap/keytabs/ldap.keytab that includes the principals:
For arwen:
ldap/arwen.ibb.gatech.edu
ldap/ibbstaff.ibb.gatech.edu
For aragorn:
ldap/arwen.ibb.gatech.edu
ldap/ibbstaff.ibb.gatech.edu
The ldap.keytab files are owned by the user ldap as that user runs slapd.
Whenever I try to retrieve data using kerberos auth, I get:
[root@gandalf keytabs]# host ldap2
ldap2.ibb.gatech.edu is an alias for ibbstaff.ibb.gatech.edu.
[root@gandalf keytabs]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Manager@IBB.GATECH.EDU
Valid starting Expires Service principal
03/15/05 11:10:56 03/15/05 21:10:56 krbtgt/IBB.GATECH.EDU@IBB.GATECH.EDU
renew until 03/16/05 11:10:56
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root@gandalf keytabs]# ldapsearch -Y GSSAPI -D
cn=Manager,dc=ibb,dc=gatech,dc=edu -h ldap2.ibb.gatech.edu 'cn=replicator'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context
A second klist shows that I am getting the keytab corresponding to
ldap/ibbstaff.ibb.gatech.edu as that is the IP I am connecting to since
ldap2.ibb.gatech.edu resolves to ibbstaff.ibb.gatech.edu:
[root@gandalf keytabs]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Manager@IBB.GATECH.EDU
Valid starting Expires Service principal
03/15/05 11:10:56 03/15/05 21:10:56 krbtgt/IBB.GATECH.EDU@IBB.GATECH.EDU
renew until 03/16/05 11:10:56
03/15/05 11:11:01 03/15/05 21:10:56
ldap/ibbstaff.ibb.gatech.edu@IBB.GATECH.EDU
renew until 03/16/05 11:10:56
I think the problem is that SASL finds that the real hostname of the server
is arwen and then it throws the error GSSAPI Failure:
gss_accept_sec_context
Any idea of how can I accomplish high availability with these two server
taking over one IP for openldap? Is it just not possible to do it this
way?
Is there other way?
I am running openldap-2.2.13-2 on a RHEL4 machine. openldap is compiled
against MIT kerberos by red hat without thread support, so it should be
stable and work.
If I change the alias ldap2.ibb.gatech.edu to point to arwen.ibb.gatech.edu,
then I can do kerberos authentication just fine.
[root@gandalf keytabs]# host ldap2
ldap2.ibb.gatech.edu is an alias for arwen.ibb.gatech.edu.
arwen.ibb.gatech.edu has address 128.61.131.16
[root@gandalf keytabs]# ldapsearch -Y GSSAPI -D
cn=Manager,dc=ibb,dc=gatech,dc=edu -h ldap2.ibb.gatech.edu 'cn=replicator'
SASL/GSSAPI authentication started
SASL username: Manager@IBB.GATECH.EDU
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: cn=replicator
# requesting: ALL
#
# Replicator, ibb.gatech.edu
dn: cn=Replicator,dc=ibb,dc=gatech,dc=edu
objectClass: organizationalRole
cn: Replicator
description: Replicator user that updates slave ldap servers
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
Diego