[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ldap_sasl_interactive_bind_s: Can't contact LDAP server
- To: <openldap-technical@openldap.org>
- Subject: Re: ldap_sasl_interactive_bind_s: Can't contact LDAP server
- From: Bill MacAllister <bill@ca-zephyr.org>
- Date: Sun, 03 Dec 2017 12:44:05 -0800
- In-reply-to: <9E3C573A-67BE-47F8-A20A-28F92FD63967@bayour.com>
- References: <B73A7C40-01BB-452F-82B1-C555DF259F2E@bayour.com> <3F78CC58-B07C-48CF-81A1-19996EF71FCB@bayour.com> <b77e1922-bc35-f9eb-7b22-241f1a5ebb3a@stroeder.com> <9E3C573A-67BE-47F8-A20A-28F92FD63967@bayour.com>
- User-agent: Trojita/v0.7-obs-9555fee5; Qt/5.9.1; xcb; Linux; Debian GNU/Linux testing (buster)
On Sunday, November 19, 2017 9:09:50 AM PST, Turbo Fredriksson wrote:
Have anyone tried running OpenLDAP behind HAProxy? Anything special
one needs to do?
For Kerberos the problem is in Cyrus SASL and is true for all load
balancers. Indeed it is true for any system that has more than one
name. SASL checks the name that the connection was made to and if
they don't match fails.
There are two solutions that I know of. The first is to configure
the LDAP servers and keytab as though all members of the load balanced
pool had the load balanced name. If you do it this way you cannot
make a GSSAPI LDAP connection to an individual server only to the load
balancer.
The second is to apply a one line patch to Cyrus SASL. I just apply
the following patch to the servers that I manage.
Description: Accept valid creds not just those matching server name.
--- a/plugins/gssapi.c
+++ b/plugins/gssapi.c
@@ -719,7 +719,7 @@ gssapi_server_mech_authneg(context_t *text,
if ( server_creds == GSS_C_NO_CREDENTIAL) {
GSS_LOCK_MUTEX(params->utils);
maj_stat = gss_acquire_cred(&min_stat,
- text->server_name,
+ GSS_C_NO_NAME,
GSS_C_INDEFINITE,
GSS_C_NO_OID_SET,
GSS_C_ACCEPT,
This is not a new problem. I am pretty sure I filed a bug report
about this years ago when I worked at Stanford, but I could not
find it. I did find Simon Wilkinson's excellent description of the
problem that I embedded in an old message to the list at:
https://www.openldap.org/lists/openldap-technical/201009/msg00017.html
Of course, once you apply the patch you will need to use a keytab with
both principal names in it, the hostname and the load balancer name.
For example:
# klist -ke /etc/ldap/ldap.keytab
Keytab name: FILE:/etc/ldap/ldap.keytab
KVNO Principal
---- -------------------------------------------------------------------
1 ldap/somehost.somedomain.tld@SOMEDOMAIN.TLD
1 ldap/somelb.somedomain.tld@SOMEDOMAIN.TLD
Bill