[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: HA openldap-kerberos problem

To: dijuremo@math.gatech.edu
Subject: Re: HA openldap-kerberos problem
From: Howard Chu <hyc@symas.com>
Date: Wed, 16 Mar 2005 12:40:00 -0800
Cc: openldap-software@OpenLDAP.org
In-reply-to: <857BF47C19120F9A2DC85ABC@cadabra-dsl.stanford.edu>
References: <20050315215957.GC4369@tristero.reed.edu> <20050316100359.vizk7b4qeko0oso8@webmail.math.gatech.edu> <857BF47C19120F9A2DC85ABC@cadabra-dsl.stanford.edu>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a6) Gecko/20050111

Quanah Gibson-Mount wrote:

--On Wednesday, March 16, 2005 10:03 AM -0500 dijuremo@math.gatech.edu wrote:
Hi,
Isn't it possible that this is a feature that needs to be added to the openldap software. Check all the available ldap/fqdn enties in the keytab, check how the request comes (which interface) and then use the appropriate ldap/fqdn entry?

I have no idea how slapd with gssapi authentication works internally (how it decides which keytab to use or how it finds the machine's hostname), but maybe the persons writing the code can actually say if it is possible to add this capability to slapd so that you can have one server with two/more interfaces hosting openldap data even if the interfaces resolve to different hostnames.

This very same problem is present with nfs-utils and I have addressed this concern to the CITI project people. They say they will look into adding support for this to nfs4 on a server that has multiple interfaces with different host names and keytab entries. This is why I would like the openldap experts to answer if this may be added to the openldap software or if it can/should be done in a different way.
I do not think changing your hostname on your server, when it takes over
with hearbeat is a clean solution, I consider it a workaround.
Diego,
This isn't an OpenLDAP issue. This is the way that Kerberos and SASL works. If you feel this is in error, please contact the appropriate developers of those products.

More specifically, slapd doesn't know anything about Kerberos or any keytab, it just uses generic SASL library calls. SASL doesn't know anything about Kerberos either, it just has a GSSAPI plugin that uses generic calls. In general, GSSAPI doesn't know anything about it either, that's a detail that is buried inside a particular GSSAPI mechanism. So the only place this can be fixed is in the Kerberos implementation itself, and it needs to be automatic in order for GSSAPI and everything above it to work.

--
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support

References:
- Re: HA openldap-kerberos problem
  - From: Ben Poliakoff <benp@reed.edu>
- Re: HA openldap-kerberos problem
  - From: dijuremo@math.gatech.edu
- Re: HA openldap-kerberos problem
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: Re: HA openldap-kerberos problem
Next by Date: slapadd: dn="uid=someone,ou=users,o=somedomain.com" (line=44): (65) attribute 'c' not allowed
Index(es):
- Chronological
- Thread