[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd with Kerberos and multihomed host

"JUNG, Christian" <christian.jung@saarstahl.com> writes:

> Hi,
> is there a possibility to configure slapd on a multihomed host to
> authenticate on the different interfaces with different Kerberos
> principals?
> Example:
> 	one host running linux with two NICs (eth0, eth1) and slapd
> 	eth0: IP, hostname ldap.sn-1.example.com
> 	eth1: IP, hostname ldap.sn-2.example.com
> A client which connects via hostname ldap.sn-1.example.com would
> request a ticket for the principal
> ldap/ldap.sn-1.example.com@EXAMPLE.COM and one connecting via
> ldap.sn-2.example.com would request a ticket for
> ldap/ldap.sn-2.example.com@EXAMPLE.COM.

You may run 2 different instances of slapd, the second instance as

> Does it suffice to store both keys in the keytab to enable slapd to
> authenticate for both principals, i.e. does it picks the right key?

yes, if your system is setup accordingly. 

> Which hostname should I define as sasl-host when using SASL to enable
> plain-text authentication over a SSL-secured connection or is it
> possible to set multiple sasl-hosts?

As default slapd uses hostname (gethostbyname(3)) as sasl host.


Dieter Klünter | Systemberatung