> On 13 Jan 2021, at 10:14, Marc Sauton <msauton@xxxxxxxxxx> wrote: > > Try configuring nsslapd-localhost to the "alias" , with nsslapd-listenhost and nsslapd-securelistenhost to the hostname of the system. > Thanks, > M. The problem is this person wants both to work. > > The following error message is quite interesting, as it confirms the Kerberos library[5] found the matching key in the keytab, but will not use it because it is not configured to do so: > "Request ticket server ldap/ldap.example.net@xxxxxxxxxxx found in keytab but does not match server principal ldap/ipa01.example.net@" > > Looking at the code, it looks like this is the call stack 389ds is going through to configure the server's identity > - main.c:main[6] > - bind.c:init_saslmechanisms[7] > - saslbind.c:ids_sasl_init[8] > - localhost.c:get_localhost_DNS[9] (set the "serverfqdn" static global variable) > - libglobs.c:config_get_localhost[10] (retrieve the FQDN from "nsslapd-localhost") > > The "serverfqdn" variable is then used to call sasl_server_new()[11]. It would explain why setting "nsslapd-localhost" with the alias causes authentication against the alias principal to work, but breaks the canonical FQDN one. > > This is a major issue for us, as rDNS resolution will be disabled on most of our Kerberos clients in the future. > Would it be possible that the code was modified, affecting this behaviour, since you wrote the documentation? That code hasn't seen much development since I wrote the docs. Saying this I wrote the docs NOT with ipa but manual KRB + LDAP so you would only want to use a loadbalancer. I think perhaps the issue is more likely in this case that you have to choose "one or the other". You must choose either the nsslapd-localhost alias to be the ipa server name for direct connections OR you must choose the name of the load balancer for load balanced connections. Saying this if you chose the load balancer name, you will break ipa replication which itself relies on GSSAPI .... Sadly, this at this point seems well beyond me, and I think honestly, this becomes a question to freeipa in how they want to handle load balancing and if they want it to work in these scenarios, or if they want you to use LDAP SRV records for client initiated load balancing (which is likely to be their response, because of how they model IPA to be like AD). — Sincerely, William Brown Senior Software Engineer, 389 Directory Server SUSE Labs, Australia _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
