On 13 Jan 2021, at 10:14, Marc Sauton <msauton(a)redhat.com>
wrote:
Try configuring nsslapd-localhost to the "alias" , with nsslapd-listenhost and
nsslapd-securelistenhost to the hostname of the system.
Thanks,
M.
The problem is this person wants both to work.
The following error message is quite interesting, as it confirms the Kerberos library[5]
found the matching key in the keytab, but will not use it because it is not configured to
do so:
"Request ticket server ldap/ldap.example.net(a)EXAMPLE.NET found in keytab but does
not match server principal ldap/ipa01.example.net@"
Looking at the code, it looks like this is the call stack 389ds is going through to
configure the server's identity
- main.c:main[6]
- bind.c:init_saslmechanisms[7]
- saslbind.c:ids_sasl_init[8]
- localhost.c:get_localhost_DNS[9] (set the "serverfqdn" static global
variable)
- libglobs.c:config_get_localhost[10] (retrieve the FQDN from
"nsslapd-localhost")
The "serverfqdn" variable is then used to call sasl_server_new()[11]. It would
explain why setting "nsslapd-localhost" with the alias causes authentication
against the alias principal to work, but breaks the canonical FQDN one.
This is a major issue for us, as rDNS resolution will be disabled on most of our Kerberos
clients in the future.
Would it be possible that the code was modified, affecting this behaviour, since you
wrote the documentation?
That code hasn't seen much development since I wrote the docs. Saying this I wrote the
docs NOT with ipa but manual KRB + LDAP so you would only want to use a loadbalancer.
I think perhaps the issue is more likely in this case that you have to choose "one or
the other". You must choose either the nsslapd-localhost alias to be the ipa server
name for direct connections OR you must choose the name of the load balancer for load
balanced connections. Saying this if you chose the load balancer name, you will break ipa
replication which itself relies on GSSAPI ....
Sadly, this at this point seems well beyond me, and I think honestly, this becomes a
question to freeipa in how they want to handle load balancing and if they want it to work
in these scenarios, or if they want you to use LDAP SRV records for client initiated load
balancing (which is likely to be their response, because of how they model IPA to be like
AD).
—
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server
SUSE Labs, Australia