Hi, I was just wondering if anyone had any thoughts on this... if not, perhaps a recomendation for the best way to load balance a number of replicas and still allow LDAP to bind using a Kerberos ticket? Thanks! Tim Tim Hartmann wrote: > Hi, > > I've been configuring our Directory Server implementation to use gss-api > for authentication, and it works great! However I ran into a bit of a > snag and was hoping someone on the list might have a suggestion for a > resolution! > > I followed the docs during my configuration and all went well > > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Introduction_to_SASL-Configuring_Kerberos.html > > I'm able to bind to our ldap replicas with my TGT when I search the real hostname, however we load balance our replicas behind a Cisco SLB which serves out a second hostname and IP. > > I've updated the ldap keytab file to include both the Kerberos principles for the real hostname, and the slb hostname, and am still able to sucessfully bind with Kerberos to the real hostname, but not through the SLB. > > I had a similar problem with kerberized ssh a while back, and the solution there was a patch to openssh which allowed Kerberos to use any principle in the keytab file. (the GSSAPIStrictAcceptorCheck flag in ssh provides this) Does FDS have any similar configuration option? Or had anyone run into this sort of issue while trying to bind to ldap via kerberos? > > I'd also be willing to load balance the servers useing some other means beside the SLB. > > Thanks!! > > > Tim > > > > >