Kerberos and hostnames in a HA environment
Henry B. Hotz
hotz at jpl.nasa.gov
Mon Mar 7 12:58:04 EST 2011
This sounds a bit like "violent agreement" to me.
On Mar 7, 2011, at 9:35 AM, Guillaume Rousse wrote:
> Le 07/03/2011 17:53, Bill MacAllister a écrit :
>> --On Monday, March 07, 2011 10:48:21 AM +0100 Guillaume Rousse
>> <guillomovitch at gmail.com> wrote:
>>> Le 06/03/2011 22:05, Russ Allbery a écrit :
>>>> OpenLDAP is the hardest problem, since it uses Cyrus SASL and Cyrus SASL
>>>> doesn't support checking every key in the keytab by default.
>>> OpenLDAP has a 'sasl-host' directive permetting to enforce the hostname
>>> to use, which is enough to get rid of the issue, by using the hostname
>>> attached to the service virtual interface.
>> Actually that doesn't always help. Frequently in HA environments it
>> is useful to be able to connect directly to one of the HA hosts as
>> well as connecting to the HA hostname. Using sasl-host you can only
>> specify one hostname which prevents binding to the directory on a
>> specific host without playing games with hosts files and such.
> You just prevent SASL authentication to work when contacting the server
> node directly AFAIK.
> That's the same issue for any server-authentication mechanism, such as
> TLS: without the ability to have some kind of aliasing in your
> certificate, there is only one way of naming the trusted resource.
> BOFH excuse #365:
> parallel processors running perpendicular today
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the Cyrus-sasl