"JUNG, Christian" christian.jung@saarstahl.com writes:
Hi,
is there a possibility to configure slapd on a multihomed host to authenticate on the different interfaces with different Kerberos principals?
Example: one host running linux with two NICs (eth0, eth1) and slapd eth0: IP 10.0.0.23, hostname ldap.sn-1.example.com eth1: IP 10.1.0.42, hostname ldap.sn-2.example.com
A client which connects via hostname ldap.sn-1.example.com would request a ticket for the principal ldap/ldap.sn-1.example.com@EXAMPLE.COM and one connecting via ldap.sn-2.example.com would request a ticket for ldap/ldap.sn-2.example.com@EXAMPLE.COM.
You may run 2 different instances of slapd, the second instance as proxy.
Does it suffice to store both keys in the keytab to enable slapd to authenticate for both principals, i.e. does it picks the right key?
yes, if your system is setup accordingly.
Which hostname should I define as sasl-host when using SASL to enable plain-text authentication over a SSL-secured connection or is it possible to set multiple sasl-hosts?
As default slapd uses hostname (gethostbyname(3)) as sasl host.
-Dieter