Kerberos and hostnames in a HA environment
Henry B. Hotz
hotz at jpl.nasa.gov
Mon Mar 7 12:58:04 EST 2011
This sounds a bit like "violent agreement" to me.
On Mar 7, 2011, at 9:35 AM, Guillaume Rousse wrote:
> Le 07/03/2011 17:53, Bill MacAllister a écrit :
>>
>>
>> --On Monday, March 07, 2011 10:48:21 AM +0100 Guillaume Rousse
>> <guillomovitch at gmail.com> wrote:
>>
>>> Le 06/03/2011 22:05, Russ Allbery a écrit :
>>>> OpenLDAP is the hardest problem, since it uses Cyrus SASL and Cyrus SASL
>>>> doesn't support checking every key in the keytab by default.
>>> OpenLDAP has a 'sasl-host' directive permetting to enforce the hostname
>>> to use, which is enough to get rid of the issue, by using the hostname
>>> attached to the service virtual interface.
>>
>> Actually that doesn't always help. Frequently in HA environments it
>> is useful to be able to connect directly to one of the HA hosts as
>> well as connecting to the HA hostname. Using sasl-host you can only
>> specify one hostname which prevents binding to the directory on a
>> specific host without playing games with hosts files and such.
> You just prevent SASL authentication to work when contacting the server
> node directly AFAIK.
>
> That's the same issue for any server-authentication mechanism, such as
> TLS: without the ability to have some kind of aliasing in your
> certificate, there is only one way of naming the trusted resource.
> --
> BOFH excuse #365:
>
> parallel processors running perpendicular today
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the Cyrus-sasl
mailing list