Red Hat SummitChapter 5. Installing Directory Server with Kerberos authentication behind a load balancer
Installing Directory Server instances that work behind a load balancer and support Kerberos authentication require additional steps compared during the installation.
If a user accesses a service using Generic Security Services API (GSSAPI), the Kerberos principal includes the DNS name of the service’s host. In case the user connects to a load balancer, the principal contains the DNS name of the load balancer, for example: ldap/loadbalancer.example.com@EXAMPLE.COM, and not the DNS name of the Directory Server instance.
To facilitate successful connection, the Directory Server instance that receives the request must use the same name as the load balancer, even if the load balancer DNS name is different.
This section describes how to set up an Directory Server instance with Kerberos authentication support behind a load balancer.
5.1. Prerequisites
-
You installed the Directory Server instance as described in the Setting up a new instance on the command line using a
.inffile section.
5.2. Creating a keytab for the load balancer and configuring Directory Server to use the keytab
Before user can authenticate to Directory Server behind a load balancer using GSSAPI, you must create a Kerberos principal for the load balancer and configure Directory Server to use the Kerberos principal. This section describes this procedure.
Prerequisites
An instance that contains the following
.inffile configuration:-
The
full_machine_nameparameter set to the DNS name of the load balancer. -
The
strict_host_checkingparameter set toFalse.
-
The
Procedure
-
Create the Kerberos principal for the load balancer, for example
ldap/loadbalancer.example.com_@_EXAMPLE.COM. The procedure to create the service principal depends on your Kerberos installation. For details, see your Kerberos server’s documentation. -
Optional: You can add further principals to the keytab file. For example, to enable users to connect to the Directory Server instance behind the load balancer directly using Kerberos authentication, add additional principals for the Directory Server host. For example,
ldap/server1.example.com@EXAMPLE.COM. -
Copy the service keytab file to the Directory Server host, and store it, for example, in the
/etc/dirsrv/slapd-instance_name/ldap.keytabfile. Add the path to the service keytab to the
/etc/sysconfig/slapd-instance_namefile:KRB5_KTNAME=/etc/dirsrv/slapd-instance_name/ldap.keytabRestart the Directory Server instance:
# dsctl <instance_name> restart
Verification
Verify that you can connect to the load balancer using the GSSAPI protocol:
# ldapsearch -H ldap://loadbalancer.example.com -Y GSSAPIIf you added additional Kerberos principals to the keytab file, such as for the Directory Server host itself, also verify these connections:
# ldapsearch -H ldap://server1.example.com -Y GSSAPI
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}