Yes, I conflated SSL and SASL in my answer. So let me clean that up…
So, let’s say that my F5 is load balancing based on the name ldapserver.example.com. In the slapd.conf file each of my real servers use, I put the statement:
And in the keytab file that each OpenLDAP server uses, I have a key for ldap/ldapserver.example.com@realm
Now, when a GSSAPI connection comes in, OpenLDAP talks to SASL using the ldap/ldapserver.example.com@realm key and verifies that the GSSAPI package is all good.
I honestly do not know if AD has the equivalent of the OpenLDAP sasl-host configuration option or not.
Systems Architecture & Administration
From: Tadashi Inayama <tci@xxxxxxx>
Date: Tuesday, February 16, 2016 at 1:37 PM
To: Frank Swasey <Frank.Swasey@xxxxxxx>
Cc: "cyrus-sasl@xxxxxxxxxxxxxxxxxxxx" <cyrus-sasl@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: Load-balancing LDAP using GSSAPI/Kerberos/Cryus-SASL
Description: S/MIME cryptographic signature