On 3 Dec 2017, at 20:44, Bill MacAllister bill@ca-zephyr.org wrote:
For Kerberos the problem is in Cyrus SASL and is true for all load balancers. Indeed it is true for any system that has more than one name. SASL checks the name that the connection was made to and if they don't match fails.
Yes, I had that problem at work where we run LDAP/MIT Kerberos V behind AWS ELBs.
I managed to fix (with great pain!) so that I can now access LDAP via the one-name ELB, but not individually. Which, as it turned out, I’d prefer anyway. So I wrote my security group (firewall) rules accordingly.
So here at home, behind a HAProxy running on OpenStack, I did exactly the same. But this time I have a much … “weirder” problem. Usually, it doesn’t work right away. But if left completely alone for “a few hours”, it automagically works!
So in my case here at home, there’s something more sinister at work..
I’m 99% certain it’s something in either OpenStack or HAProxy, but I can’t figure out what! There’s still that one percent that I can’t explain - I see the initial attempt in the slapd logs, but not the subsequent one. Meaning, I think, that I can talk to slapd just fine, but … “something” that ldapsearch/ldapwhoami does fails..