Dear Alexander,
We're wondering that too, there's obviously a disparity between the domain that
either end is issuing the LDAP ticket for, and the SRV records for the
`virt.in.bmrc.ox.ac.uk` domain all point to the LDAP endpoint. Do i need specific SRV
records for ldaps and not ldap? I earlier attached a screenshot of our domain setup for
the VIRT subdomain.
I fear the opposite may be the case and the client is requesting the correct one but the
ldap server is defaulting to the root domain not the subdomain.
Regards,
Callum
--
Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. callum@well.ox.ac.uk<mailto:callum@well.ox.ac.uk>
On 11 Mar 2019, at 16:19, Alexander Bokovoy
<abokovoy@redhat.com<mailto:abokovoy@redhat.com>> wrote:
On ma, 11 maalis 2019, Callum Smith wrote:
Locally on the IPA server I note that doing an ldapsearch using GSSAPI works, if i use the
ldap host:
ldaps://ipa-b.in.bmrc.ox.ac.uk/
but not:
ldaps://ipa-b.virt.in.bmrc.ox.ac.uk/
Since the client can only access the network that is
ipa-b.virt.in.bmrc.ox.ac.uk it needs to be able to communicate to LDAP
via that hostname. Is this actually possible, since the TGT is _always_
going to be on ipa-b.$domain because of the nsslapd-localhost entry?
Question I have is why the client actually chooses ldap/ipa-b.$domain
itself? This is probably the easiest place to change since it is driven
by the DNS discovery so you can influence by whatever is put in the DNS
SRV records.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland