On 3 Dec 2017, at 20:44, Bill MacAllister <bill@ca-zephyr.org> wrote: > For Kerberos the problem is in Cyrus SASL and is true for all load balancers. Indeed it is true for any system that has more than one > name. SASL checks the name that the connection was made to and if they don't match fails. Yes, I had that problem at work where we run LDAP/MIT Kerberos V behind AWS ELBs. I managed to fix (with great pain!) so that I can now access LDAP via the one-name ELB, but not individually. Which, as it turned out, I’d prefer anyway. So I wrote my security group (firewall) rules accordingly. So here at home, behind a HAProxy running on OpenStack, I did exactly the same. But this time I have a much … “weirder” problem. Usually, it doesn’t work right away. But if left completely alone for “a few hours”, it automagically works! So in my case here at home, there’s something more sinister at work.. I’m 99% certain it’s something in either OpenStack or HAProxy, but I can’t figure out what! There’s still that one percent that I can’t explain - I see the initial attempt in the slapd logs, but not the subsequent one. Meaning, I think, that I can talk to slapd just fine, but … “something” that ldapsearch/ldapwhoami does fails..
Attachment:
signature.asc
Description: Message signed with OpenPGP