On Sunday, November 19, 2017 9:09:50 AM PST, Turbo Fredriksson wrote:
Have anyone tried running OpenLDAP behind HAProxy? Anything special one needs to do?
For Kerberos the problem is in Cyrus SASL and is true for all load balancers. Indeed it is true for any system that has more than one name. SASL checks the name that the connection was made to and if they don't match fails.
There are two solutions that I know of. The first is to configure the LDAP servers and keytab as though all members of the load balanced pool had the load balanced name. If you do it this way you cannot make a GSSAPI LDAP connection to an individual server only to the load balancer.
The second is to apply a one line patch to Cyrus SASL. I just apply the following patch to the servers that I manage.
Description: Accept valid creds not just those matching server name. --- a/plugins/gssapi.c +++ b/plugins/gssapi.c @@ -719,7 +719,7 @@ gssapi_server_mech_authneg(context_t *text, if ( server_creds == GSS_C_NO_CREDENTIAL) { GSS_LOCK_MUTEX(params->utils); maj_stat = gss_acquire_cred(&min_stat, - text->server_name, + GSS_C_NO_NAME, GSS_C_INDEFINITE, GSS_C_NO_OID_SET, GSS_C_ACCEPT,
This is not a new problem. I am pretty sure I filed a bug report about this years ago when I worked at Stanford, but I could not find it. I did find Simon Wilkinson's excellent description of the problem that I embedded in an old message to the list at:
https://www.openldap.org/lists/openldap-technical/201009/msg00017.html
Of course, once you apply the patch you will need to use a keytab with both principal names in it, the hostname and the load balancer name. For example:
# klist -ke /etc/ldap/ldap.keytab Keytab name: FILE:/etc/ldap/ldap.keytab KVNO Principal ---- ------------------------------------------------------------------- 1 ldap/somehost.somedomain.tld@SOMEDOMAIN.TLD 1 ldap/somelb.somedomain.tld@SOMEDOMAIN.TLD
Bill