Hi, I was just wondering if anyone had any thoughts on this... if not, perhaps a recomendation for the best way to load balance a number of replicas and still allow LDAP to bind using a Kerberos ticket?
Thanks! Tim Tim Hartmann wrote: > Hi, > > I've been configuring our Directory Server implementation to use gss-api > for authentication, and it works great! However I ran into a bit of a > snag and was hoping someone on the list might have a suggestion for a > resolution! > > I followed the docs during my configuration and all went well > > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Introduction_to_SASL-Configuring_Kerberos.html > > I'm able to bind to our ldap replicas with my TGT when I search the real > hostname, however we load balance our replicas behind a Cisco SLB which > serves out a second hostname and IP. > > I've updated the ldap keytab file to include both the Kerberos principles for > the real hostname, and the slb hostname, and am still able to sucessfully > bind with Kerberos to the real hostname, but not through the SLB. > > I had a similar problem with kerberized ssh a while back, and the solution > there was a patch to openssh which allowed Kerberos to use any principle in > the keytab file. (the GSSAPIStrictAcceptorCheck flag in ssh provides this) > Does FDS have any similar configuration option? Or had anyone run into this > sort of issue while trying to bind to ldap via kerberos? > > I'd also be willing to load balance the servers useing some other means > beside the SLB. > > Thanks!! > > > Tim > > > > > -- Fedora-directory-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-directory-users
