Load-balancing LDAP using GSSAPI/Kerberos/Cryus-SASL

Tadashi Inayama tci at qad.com
Fri Feb 12 17:10:37 EST 2016 

Hello,

I am new to using GSSAPI/Kerberos/SASL but we got it working for
authorization for LDAP queries from RHEL 5.11 and RHEL 6.7 clients against
Win2k12 R2 Domain Controllers.

But when we try to load balance the LDAP traffic with F5 LTM (with
dc1.test.com and dc2.test.com as the pool members), ldapsearch via gssapi
works half the time, and the other half we get an error that the message is
changed mid-stream.  We are guessing that Cyrus-SASL does a reverse dns
lookup of the domain controllers as a final check, and if the ip address of
the domain controller does not match the hostname of the F5 Virtual Server
then the error pops back as message changed mid-stream.  So it work half of
the time.

So we did some googling and came across this post:

http://www.openldap.org/lists/openldap-software/200902/msg00019.html

"There is a work around for this at the GSSAPI layer, which is to tell the
server to trust any principal that exists in the service's keytab.
Unfortunately, Cyrus SASL doesn't seem to expose a mechanism for doing
this, and so the only way to do so is via a code change to the SASL
library."

This post was from 2009.  So is there currently a mechanism in Cyrus SASL
to trust the principals whose key exists in the krb5.keytab?  Or is there
some established method to load balance between two MS Domain Controllers?

(The reason we are trying to load balance the ldap queries is so that when
we perform patch or other maintenance work on the individual domain
controllers, we don't break the authentication/authorization on the RHEL
servers.  Without load balancing, we will need to change the authentication
server entries on krb5.conf and sssd.conf in each of the RHEL servers.  And
we already have dns, ntp, and kerberos load-balancing using the F5, we just
need to get the ldap portion completed.)

Thank you very much,
Tadashi


dc1.test.com     dc2.test.com  (Windows Domain Controllers)
      \                          /
       \                        /
        \                      /
         \                    /
          ldap.test.com (virtual server on F5 LTM)
                   |
                   |
                   |
             linux_client.test.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20160212/3b223a3c/attachment.html>

More information about the Cyrus-sasl mailing list