[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: HA openldap-kerberos problem
Hi,
Isn't it possible that this is a feature that needs to be added to the
openldap software. Check all the available ldap/fqdn enties in the keytab,
check how the request comes (which interface) and then use the appropriate
ldap/fqdn entry?
I have no idea how slapd with gssapi authentication works internally (how it
decides which keytab to use or how it finds the machine's hostname), but
maybe the persons writing the code can actually say if it is possible to
add this capability to slapd so that you can have one server with two/more
interfaces hosting openldap data even if the interfaces resolve to
different hostnames.
This very same problem is present with nfs-utils and I have addressed this
concern to the CITI project people. They say they will look into adding
support for this to nfs4 on a server that has multiple interfaces with
different host names and keytab entries. This is why I would like the
openldap experts to answer if this may be added to the openldap software or
if it can/should be done in a different way.
I do not think changing your hostname on your server, when it takes over
with hearbeat is a clean solution, I consider it a workaround.
Diego
Quoting Ben Poliakoff <benp@reed.edu>:
* dijuremo@math.gatech.edu <dijuremo@math.gatech.edu> [20050315 13:36]:
The problem is actually with the virtual IP on the servers, they have a real
IP and they do a take over on the .15 virtual IP through heartbeat. I want
to have a Higly available ldap slave by doing IP takeover with either arwen
or aragorn.
I think this is veering off topic, and might better be addressed on the
kerberos, ldap-interop, or the linuxha/heartbeat lists . At heart, I
think this is a kerberos, not an openldap issue.
FWIW, I have a similar HA config for one of my mail servers. I manage
to get GSSAPI auth working by changing the hostname of the server when
a service takeover occurs (so that the hostname matches the logical/HA
name).
Ben