Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 4. Installing Directory Server with Kerberos authentication behind a load balancer

Installing Directory Server instances that work behind a load balancer and support Kerberos authentication require additional steps compared during the installation.

If a user accesses a service using Generic Security Services API (GSSAPI), the Kerberos principal includes the DNS name of the service’s host. In case the user connects to a load balancer, the principal contains the DNS name of the load balancer, for example: ldap/loadbalancer.example.com@EXAMPLE.COM, and not the DNS name of the Directory Server instance.

To facilitate successful connection, the Directory Server instance that receives the request must use the same name as the load balancer, even if the load balancer DNS name is different.

This section describes how to set up an Directory Server instance with Kerberos authentication support behind a load balancer.

4.1. Prerequisites

4.2. Installing the Directory Server packages

Use the following procedure to install the Directory Server packages.

Prerequisites

Procedure

  1. Enable the redhat-ds:12 module and install Directory Server packages:

    Copy to Clipboard Toggle word wrap 
    # dnf module enable redhat-ds:12
# dnf install 389-ds-base cockpit-389-ds

4.3. Creating a .inf file for a Directory Server instance installation

Create a .inf file for the dscreate utility, and adjust the file to your environment. In a later step, you will use this file to create the new Directory Server instance.

Prerequisites

  • You installed the redhat-ds:12 module.

Procedure

  1. Use the dscreate create-template command to create a template .inf file. For example, to store the template in the /root/instance_name.inf file, enter:

    Copy to Clipboard Toggle word wrap 
    # dscreate create-template /root/instance_name.inf

    The created file contains all available parameters including descriptions.

  2. Edit the file that you created in the previous step:

    1. Uncomment the parameters that you want to set to customize the installation.

      All parameters have defaults. However, customize certain parameters for a production environment. For example, set at least the following parameters in the [slapd] section:

      Copy to Clipboard Toggle word wrap 
      instance_name = instance_name
root_password = password

      To install an instance with the LMDB backend, set the following parameters:

      Copy to Clipboard Toggle word wrap 
      db_lib = mdb
mdb_max_size = 21474836480

      Note that mdb_max_size must be an integer value that depends on your directory size. For more details, see nsslapd-mdb-max-size attribute description.

    2. To use the instance behind a load balancer with GSSAPI authentication, set the full_machine_name parameter in the [general] section to the fully-qualified domain name (FQDN) of the load balancer instead of the FQDN of the Directory Server host:

      Copy to Clipboard Toggle word wrap 
      full_machine_name = loadbalancer.example.com

    3. Uncomment the strict_host_checking parameter in the [general] section and set it to False:

      Copy to Clipboard Toggle word wrap 
      strict_host_checking = False

    4. To automatically create a suffix during instance creation, set the following parameters in the [backend-userroot] section:

      Copy to Clipboard Toggle word wrap 
      create_suffix_entry = True
suffix = dc=example,dc=com
      Important

      If you do not create a suffix during instance creation, you must create it later manually before you can store data in this instance.

    5. Optional: Uncomment other parameters and set them to appropriate values for your environment. For example, use these parameters to specify replication options, such as authentication credentials and changelog trimming, or set different ports for the LDAP and LDAPS protocols.

      Note

      By default, new instances that you create include a self-signed certificate and TLS enabled. For increased security, do not disable this feature. Note that you can replace the self-signed certificate with a certificate issued by a Certificate Authority (CA) at a later date.

Additional resources

4.4. Using a .inf file to set up a new Directory Server instance

This section describes how to use a .inf file to set up a new Directory Server instance using the command line.

Prerequisites

  • You created a .inf file for the Directory Server instance.

Procedure

  1. Pass the .inf file to the dscreate from-file command to create the new instance:

    Copy to Clipboard Toggle word wrap 
    # dscreate from-file /root/instance_name.inf
Starting installation ...
Validate installation settings ...
Create file system structures ...
Create self-signed certificate database ...
Perform SELinux labeling ...
Perform post-installation tasks ...
Completed installation for instance: slapd-instance_name

    The dscreate utility automatically starts the instance and configures RHEL to start the service when the system boots.

  2. Open the required ports in the firewall:

    Copy to Clipboard Toggle word wrap 
    # firewall-cmd --permanent --add-port={389/tcp,636/tcp}

  3. Reload the firewall configuration:

    Copy to Clipboard Toggle word wrap 
    # firewall-cmd --reload

4.5. Creating a keytab for the load balancer and configuring Directory Server to use the keytab

Before user can authenticate to Directory Server behind a load balancer using GSSAPI, you must create a Kerberos principal for the load balancer and configure Directory Server to use the Kerberos principal. This section describes this procedure.

Prerequisites

  • An instance that contains the following .inf file configuration:

    • The full_machine_name parameter set to the DNS name of the load balancer.
    • The strict_host_checking parameter set to False.

Procedure

  1. Create the Kerberos principal for the load balancer, for example ldap/loadbalancer.example.com_@_EXAMPLE.COM. The procedure to create the service principal depends on your Kerberos installation. For details, see your Kerberos server’s documentation.
  2. Optional: You can add further principals to the keytab file. For example, to enable users to connect to the Directory Server instance behind the load balancer directly using Kerberos authentication, add additional principals for the Directory Server host. For example, ldap/server1.example.com@EXAMPLE.COM.
  3. Copy the service keytab file to the Directory Server host, and store it, for example, in the /etc/dirsrv/slapd-instance_name/ldap.keytab file.

  4. Add the path to the service keytab to the /etc/sysconfig/slapd-instance_name file:

    Copy to Clipboard Toggle word wrap 
    KRB5_KTNAME=/etc/dirsrv/slapd-instance_name/ldap.keytab

  5. Restart the Directory Server instance:

    Copy to Clipboard Toggle word wrap 
    # dsctl instance_name restart

Verification

  • Verify that you can connect to the load balancer using the GSSAPI protocol:

    Copy to Clipboard Toggle word wrap 
    # ldapsearch -H ldap://loadbalancer.example.com -Y GSSAPI

    If you added additional Kerberos principals to the keytab file, such as for the Directory Server host itself, also verify these connections:

    Copy to Clipboard Toggle word wrap 
    # ldapsearch -H ldap://server1.example.com -Y GSSAPI
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat, Inc.