[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: HA openldap-kerberos problem



The problem is actually with the virtual IP on the servers, they have a real
IP and they do a take over on the .15 virtual IP through heartbeat. I want
to have a Higly available ldap slave by doing IP takeover with either arwen
or aragorn.

Since .15 resolves to ibbstaff.ibb.gatech.edu, then the openldap server
tries to use the keytab for ldap/ibbstaff.ibb.gatech.edu instead of the
keytab for ldap/arwen.ibb.gatech.edu when arwen is up and running ldap on
the virtual IP or ldap/aragorn if aragorn took over because arwen was down
(takeover happens using the heartbeat software).

Each server, arwen and aragorn can grab the IP ending in 15 and all client
computers use that IP so that when one server goes down, the other one
grabs the IP to start all services.  This is transparent to the clients.

If I only put keytabs for ldap/arwen on arwen and ldap/aragorn on aragorn,
then when the client tries to talk to the virtual IP, I get:

SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context

I know you can have ldap1, ldap2, ldap3... ldapn separate servers running,
but this is related to one server having 2 IPs with different hostnames for
each IP.

Diego

Quoting Quanah Gibson-Mount <quanah@stanford.edu>:



--On Tuesday, March 15, 2005 11:23 AM -0500 dijuremo@math.gatech.edu wrote:

Hi,

I have a master ldap server:  gandalf.ibb.gatech.edu
I have an alias ldap.ibb.gatech.edu that points to gandalf.ibb.gatech.edu

I have two servers configured with drbd and heartbeat that use a virtual
ip address to host services:
ibbstaff.ibb.gatech.edu  (10.0.0.15 virtual IP)
alias for nfs.ibb.gatech.edu that points to ibbstaff.ibb.gatech.edu
alias for samba.ibb.gatech.edu that points to ibbstaff.ibb.gatech.edu
alias for ldap2.ibb.gatech.edu that points to ibbstaff.ibb.gatech.edu
arwen.ibb.gatech.edu     (10.0.0.16) (Primary server)
aragorn.ibb.gatech.edu  (10.0.0.17) (Secondary server)

I have created ketyab files on both arwen and aragorn under:
/etc/openldap/keytabs/ldap.keytab that includes the principals:
For arwen:
ldap/arwen.ibb.gatech.edu
ldap/ibbstaff.ibb.gatech.edu
For aragorn:
ldap/arwen.ibb.gatech.edu
ldap/ibbstaff.ibb.gatech.edu


Aragorn should have:

ldap/aragorn.ibb.gatech.edu

You do not need the ldap/ibbstaff* keytabs.

I use a pool of 9 replicas and one master.  6 of the replica's are in an
"ldap.stanford.edu" pool.

tribes:~> klist
Ticket cache: FILE:/tmp/krb5cc_54046_X18704
Default principal: quanah@stanford.edu

Valid starting     Expires            Service principal
03/15/05 11:12:58  03/16/05 12:12:58  krbtgt/stanford.edu@stanford.edu

tribes:~> lsearch uid=quanah uid
dn: uid=quanah,cn=Accounts,dc=Stanford,dc=edu
uid: quanah

dn: suRegID=85e49978f61311d2ae662436000baa77,cn=People,dc=Stanford,dc=edu
uid: quanah

tribes:~> klist
Ticket cache: FILE:/tmp/krb5cc_54046_X18704
Default principal: quanah@stanford.edu

Valid starting     Expires            Service principal
03/15/05 11:12:58  03/16/05 12:12:58  krbtgt/stanford.edu@stanford.edu
03/15/05 11:13:15  03/16/05 12:12:58  ldap/ldap6.stanford.edu@stanford.edu


ldap6:/afs/ir/users/q/u/quanah# klist -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 4 host/ldap6.stanford.edu@stanford.edu 5 ldap/ldap6.stanford.edu@stanford.edu

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html