loadbalancing of keberized services

Donn Cave donn at drizzle.com
Sat Apr 10 12:47:21 EDT 2004


Quoth vadim <vadim.tarassov at swissonline.ch>:
| I am evaluating now a possibility of load balancing between several ldap 
| servers. I imagine each ldap server will bind to its own ip address. 
| LDAP client will try to connect to ip address of the loadbalancer and 
| the loadbalancer will distribute requests between ip address of ldap 
| servers.

I am not following you.  I expect the domain name service (DNS) to
distribute load by rotating a list of one or more IP addresses, for
a single well known LDAP server domain name.  Maybe that's what you
mean.  The details of what you're proposing to do are important.

| If I use GSSAPI to authenticate my clients against ldap servers, I am 
| afraid I will get in troubles, as my clients will ask for ticket for
|
| ldap/loadbalancer at MYDOMAIN
|
| although they will be connected to ldapservers with principals like
|
| ldap/server1 at MYDOMAIN or ldap/server2 at MYDOMAIN
...

It depends on your client software.  All you need to do is resolve the
addresses to canonical host name first, and use the resolved name for
both the client connect and the service ticket.  (It would be nice to
check the resolved name against some list of valid hosts, in case you're
vulnerable to DNS spoofing.)  You might do this in the actual LDAP client
program if you have the source, or in a wrapper script otherwise.  This
reverse lookup procedure uses gethostbyname() and then gethostbyaddr()
with the result.

If you can't do that, then I guess you will need the keys for each server
host, on all server hosts - ldap/server1 + ldap/server2 + ...

	Donn Cave, donn at drizzle.com


More information about the Kerberos mailing list