Am 07.03.25 um 02:10 schrieb Ken Hornstein via Kerberos:
Unfortunately, the Cyrus SASL library used by OpenLDAP has a limitation in the GSSAPI mechanism, which is that it supports only a single service principal name(*). By default, that's ldap/<hostname>, using the machine's configured FQDN. You can configure it to use a different name, such as the one belonging to the shared load balancer VIP, but I'm afraid I don't recall exactly how offhand (and I'm not in front of a computer). So, you can support the server's individual name or the shared name, but not both.If you are using MIT Kerberos (anything 1.10 or newer) on the LDAP server, you can use the krb5.conf configuration entry "ignore_acceptor_hostname" to allow the server to match on any valid hostname. See details here:
Hi Ken,that did it. Thank you. Now we get the ticket trough the loadbalancer. But OpenLDAP is complaining about the name of the principal is not matching the fqd.
WE now will go the way without the load balancer. We will use SRV-records. Stefan
https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html#libdefaults Should do what you want. --Ken ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
--
smime.p7s
Description: Kryptografische S/MIME-Signatur
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
