Chapter 5. Installing Directory Server with Kerberos authentication behind a load balancer

download PDF

Installing Directory Server instances that work behind a load balancer and support Kerberos authentication require additional steps compared during the installation.

If a user accesses a service using Generic Security Services API (GSSAPI), the Kerberos principal includes the DNS name of the service’s host. In case the user connects to a load balancer, the principal contains the DNS name of the load balancer, for example: ldap/, and not the DNS name of the Directory Server instance.

To facilitate successful connection, the Directory Server instance that receives the request must use the same name as the load balancer, even if the load balancer DNS name is different.

This section describes how to set up an Directory Server instance with Kerberos authentication support behind a load balancer.

5.1. Prerequisites

5.2. Installing the Directory Server packages

Use the following procedure to install the Directory Server packages.


  • You registered the system to the Red Hat Subscription Management service.
  • You have a valid Red Hat Directory Server subscription in your Red Hat account.
  • The RHEL default repositories, BaseOS and AppStream, are enabled.


  1. If your account has disabled Simple Content Access (SCA):

    1. List the available subscriptions in your Red Hat account that provide a Red Hat Directory Server subscription, and note the pool ID:

      # subscription-manager list --all --available --matches 'Red Hat Directory Server'
      Subscription Name:   Example Subscription
      Provides:            ...
                           Red Hat Directory Server
      Pool ID:             5ab6a8df96b03fd30aba9a9c58da57a1
      Available:           1
    2. Attach the Red Hat Directory Server subscription to the system using its pool ID:

      # subscription-manager attach --pool=5ab6a8df96b03fd30aba9a9c58da57a1
      Successfully attached a subscription for: Example Subscription
  2. Enable the Directory Server repository. For example, to enable the Directory Server 12.4 repository, run:

    # subscription-manager repos --enable=dirsrv-12.4-for-rhel-9-x86_64-rpms
    Repository 'dirsrv-12.4-for-rhel-9-x86_64-rpms' is enabled for this system.
  3. Install the redhat-ds:12 module:

    # dnf module install redhat-ds:12

    This command automatically installs all required dependencies.

5.3. Creating a .inf file for a Directory Server instance installation

Create a .inf file for the dscreate utility, and adjust the file to your environment. In a later step, you will use this file to create the new Directory Server instance.


  • You installed the redhat-ds:12 module.


  1. Use the dscreate create-template command to create a template .inf file. For example, to store the template in the /root/instance_name.inf file, enter:

    # dscreate create-template /root/instance_name.inf

    The created file contains all available parameters including descriptions.

  2. Edit the file that you created in the previous step:

    1. Uncomment the parameters that you want to set to customize the installation.

      All parameters have defaults. However, Red Hat recommends that you customize certain parameters for a production environment. For example, set at least the following parameters in the [slapd] section:

      instance_name = instance_name
      root_password = password
    2. To use the instance behind a load balancer with GSSAPI authentication, set the full_machine_name parameter in the [general] section to the fully-qualified domain name (FQDN) of the load balancer instead of the FQDN of the Directory Server host:

      full_machine_name =
    3. Uncomment the strict_host_checking parameter in the [general] section and set it to False:

      strict_host_checking = False
    4. To automatically create a suffix during instance creation, set the following parameters in the [backend-userroot] section:

      create_suffix_entry = True
      suffix = dc=example,dc=com

      If you do not create a suffix during instance creation, you must create it later manually before you can store data in this instance.

    5. Optional: Uncomment other parameters and set them to appropriate values for your environment. For example, use these parameters to specify replication options, such as authentication credentials and changelog trimming, or set different ports for the LDAP and LDAPS protocols.


      By default, new instances that you create include a self-signed certificate and TLS enabled. For increased security, Red Hat recommends that you do not disable this feature. Note that you can replace the self-signed certificate with a certificate issued by a Certificate Authority (CA) at a later date.

5.4. Using a .inf file to set up a new Directory Server instance

This section describes how to use a .inf file to set up a new Directory Server instance using the command line.


  • You created a .inf file for the Directory Server instance.


  1. Pass the .inf file to the dscreate from-file command to create the new instance:

    # dscreate from-file /root/instance_name.inf
    Starting installation ...
    Validate installation settings ...
    Create file system structures ...
    Create self-signed certificate database ...
    Perform SELinux labeling ...
    Perform post-installation tasks ...
    Completed installation for instance: slapd-instance_name

    The dscreate utility automatically starts the instance and configures RHEL to start the service when the system boots.

  2. Open the required ports in the firewall:

    # firewall-cmd --permanent --add-port={389/tcp,636/tcp}
  3. Reload the firewall configuration:

    # firewall-cmd --reload

5.5. Creating a keytab for the load balancer and configuring Directory Server to use the keytab

Before user can authenticate to Directory Server behind a load balancer using GSSAPI, you must create a Kerberos principal for the load balancer and configure Directory Server to use the Kerberos principal. This section describes this procedure.


  • An instance that contains the following .inf file configuration:

    • The full_machine_name parameter set to the DNS name of the load balancer.
    • The strict_host_checking parameter set to False.


  1. Create the Kerberos principal for the load balancer, for example ldap/loadbalancer.example.com_@_EXAMPLE.COM. The procedure to create the service principal depends on your Kerberos installation. For details, see your Kerberos server’s documentation.
  2. Optional: You can add further principals to the keytab file. For example, to enable users to connect to the Directory Server instance behind the load balancer directly using Kerberos authentication, add additional principals for the Directory Server host. For example, ldap/
  3. Copy the service keytab file to the Directory Server host, and store it, for example, in the /etc/dirsrv/slapd-instance_name/ldap.keytab file.
  4. Add the path to the service keytab to the /etc/sysconfig/slapd-instance_name file:

  5. Restart the Directory Server instance:

    # dsctl instance_name restart


  • Verify that you can connect to the load balancer using the GSSAPI protocol:

    # ldapsearch -H ldap:// -Y GSSAPI

    If you added additional Kerberos principals to the keytab file, such as for the Directory Server host itself, also verify these connections:

    # ldapsearch -H ldap:// -Y GSSAPI
Red Hat logoGithubRedditYoutubeTwitter


Try, buy, & sell


About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.