Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 4. Installing Directory Server with Kerberos authentication behind a load balancer

Installing Directory Server instances that work behind a load balancer and support Kerberos authentication require additional steps compared during the installation.

If a user accesses a service using Generic Security Services API (GSSAPI), the Kerberos principal includes the DNS name of the service’s host. In case the user connects to a load balancer, the principal contains the DNS name of the load balancer, for example: ldap/loadbalancer.example.com@EXAMPLE.COM, and not the DNS name of the Directory Server instance.

To facilitate successful connection, the Directory Server instance that receives the request must use the same name as the load balancer, even if the load balancer DNS name is different.

This section describes how to set up an Directory Server instance with Kerberos authentication support behind a load balancer.

4.1. Prerequisites
Link kopieren

4.2. Installing the Directory Server packages
Link kopieren

Use the following procedure to install the Directory Server packages.

Prerequisites

Procedure

  1. Enable the redhat-ds:12 module and install Directory Server packages: 

    # dnf module enable redhat-ds:12
# dnf install 389-ds-base cockpit-389-ds
    Copy to Clipboard Toggle word wrap

4.3. Creating a .inf file for a Directory Server instance installation
Link kopieren

Create a .inf file for the dscreate utility, and adjust the file to your environment. In a later step, you will use this file to create the new Directory Server instance.

Prerequisites

  • You installed the redhat-ds:12 module.

Procedure

  1. Use the dscreate create-template command to create a template .inf file. For example, to store the template in the /root/instance_name.inf file, enter: 

    # dscreate create-template /root/instance_name.inf
    Copy to Clipboard Toggle word wrap

    The created file contains all available parameters including descriptions.

  2. Edit the file that you created in the previous step:

    1. Uncomment the parameters that you want to set to customize the installation.

      All parameters have defaults. However, customize certain parameters for a production environment. For example, set at least the following parameters in the [slapd] section: 

      instance_name = instance_name
root_password = password
      Copy to Clipboard Toggle word wrap

      By default, Directory Server creates an instance with the Berkeley Database (BDB). To install an instance with the LMDB backend that is a Technology Preview starting with Directory Server 12.5, set the following parameters: 

      db_lib = mdb
mdb_max_size = 21474836480
      Copy to Clipboard Toggle word wrap

      Note that mdb_max_size must be an integer value that depends on your directory size. For more details, see nsslapd-mdb-max-size attribute description.

    2. To use the instance behind a load balancer with GSSAPI authentication, set the full_machine_name parameter in the [general] section to the fully-qualified domain name (FQDN) of the load balancer instead of the FQDN of the Directory Server host: 

      full_machine_name = loadbalancer.example.com
      Copy to Clipboard Toggle word wrap

    3. Uncomment the strict_host_checking parameter in the [general] section and set it to False: 

      strict_host_checking = False
      Copy to Clipboard Toggle word wrap

    4. To automatically create a suffix during instance creation, set the following parameters in the [backend-userroot] section: 

      create_suffix_entry = True
suffix = dc=example,dc=com
      Copy to Clipboard Toggle word wrap
      Important

      If you do not create a suffix during instance creation, you must create it later manually before you can store data in this instance.

    5. Optional: Uncomment other parameters and set them to appropriate values for your environment. For example, use these parameters to specify replication options, such as authentication credentials and changelog trimming, or set different ports for the LDAP and LDAPS protocols.

      Note

      By default, new instances that you create include a self-signed certificate and TLS enabled. For increased security, do not disable this feature. Note that you can replace the self-signed certificate with a certificate issued by a Certificate Authority (CA) at a later date.

4.4. Using a .inf file to set up a new Directory Server instance
Link kopieren

This section describes how to use a .inf file to set up a new Directory Server instance using the command line.

Prerequisites

  • You created a .inf file for the Directory Server instance.

Procedure

  1. Pass the .inf file to the dscreate from-file command to create the new instance: 

    # dscreate from-file /root/instance_name.inf
Starting installation ...
Validate installation settings ...
Create file system structures ...
Create self-signed certificate database ...
Perform SELinux labeling ...
Perform post-installation tasks ...
Completed installation for instance: slapd-instance_name
    Copy to Clipboard Toggle word wrap

    The dscreate utility automatically starts the instance and configures RHEL to start the service when the system boots.

  2. Open the required ports in the firewall: 

    # firewall-cmd --permanent --add-port={389/tcp,636/tcp}
    Copy to Clipboard Toggle word wrap

  3. Reload the firewall configuration: 

    # firewall-cmd --reload
    Copy to Clipboard Toggle word wrap

Before user can authenticate to Directory Server behind a load balancer using GSSAPI, you must create a Kerberos principal for the load balancer and configure Directory Server to use the Kerberos principal. This section describes this procedure.

Prerequisites

  • An instance that contains the following .inf file configuration:

    • The full_machine_name parameter set to the DNS name of the load balancer.
    • The strict_host_checking parameter set to False.

Procedure

  1. Create the Kerberos principal for the load balancer, for example ldap/loadbalancer.example.com_@_EXAMPLE.COM. The procedure to create the service principal depends on your Kerberos installation. For details, see your Kerberos server’s documentation.
  2. Optional: You can add further principals to the keytab file. For example, to enable users to connect to the Directory Server instance behind the load balancer directly using Kerberos authentication, add additional principals for the Directory Server host. For example, ldap/server1.example.com@EXAMPLE.COM.
  3. Copy the service keytab file to the Directory Server host, and store it, for example, in the /etc/dirsrv/slapd-instance_name/ldap.keytab file.

  4. Add the path to the service keytab to the /etc/sysconfig/slapd-instance_name file: 

    KRB5_KTNAME=/etc/dirsrv/slapd-instance_name/ldap.keytab
    Copy to Clipboard Toggle word wrap

  5. Restart the Directory Server instance: 

    # dsctl instance_name restart
    Copy to Clipboard Toggle word wrap

Verification

  • Verify that you can connect to the load balancer using the GSSAPI protocol: 

    # ldapsearch -H ldap://loadbalancer.example.com -Y GSSAPI
    Copy to Clipboard Toggle word wrap

    If you added additional Kerberos principals to the keytab file, such as for the Directory Server host itself, also verify these connections: 

    # ldapsearch -H ldap://server1.example.com -Y GSSAPI
    Copy to Clipboard Toggle word wrap
Nach oben
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2025 Red Hat