loadbalancing of keberized services
vadim
vadim.tarassov at swissonline.ch
Sat Apr 10 05:35:13 EDT 2004
Hallo everybody,
I am evaluating now a possibility of load balancing between several ldap
servers. I imagine each ldap server will bind to its own ip address.
LDAP client will try to connect to ip address of the loadbalancer and
the loadbalancer will distribute requests between ip address of ldap
servers.
If I use GSSAPI to authenticate my clients against ldap servers, I am
afraid I will get in troubles, as my clients will ask for ticket for
ldap/loadbalancer at MYDOMAIN
although they will be connected to ldapservers with principals like
ldap/server1 at MYDOMAIN or ldap/server2 at MYDOMAIN
which may cause problems. To workaround it I could try to put in keytab
of the ldap servers on server1 at mydomain and server2 at mydomain keys of the
principal ldap/loadbalancer at MYDOMAIN. However in such case I think I
will not be able to bind directly to the ldap servers (not via
loadbalancer) as my clients will ask for tickets like
ldap/server1 at MYDOMAIN or ldap/server2 at MYDOMAIN. Probably it is possible
to assign same keys to three different principals
ldap/loadbalancer at MYDOMAIN, ldap/server1 at MYDOMAIN, and
ldap/server2 at MYDOMAIN but I don't know how I can do it.
Is there any standard way of organizing loadbalancing between kerberized
services?
Thanx a lot and best regards, vadim tarassov.
More information about the Kerberos
mailing list