loadbalancing of keberized services

vadim vadim.tarassov at swissonline.ch
Sat Apr 10 05:35:13 EDT 2004


Hallo everybody,

I am evaluating now a possibility of load balancing between several ldap 
servers. I imagine each ldap server will bind to its own ip address. 
LDAP client will try to connect to ip address of the loadbalancer and 
the loadbalancer will distribute requests between ip address of ldap 
servers.

If I use GSSAPI to authenticate my clients against ldap servers, I am 
afraid I will get in troubles, as my clients will ask for ticket for

ldap/loadbalancer at MYDOMAIN

although they will be connected to ldapservers with principals like

ldap/server1 at MYDOMAIN or ldap/server2 at MYDOMAIN

which may cause problems. To workaround it I could try to put in keytab 
of the ldap servers on server1 at mydomain and server2 at mydomain keys of the 
principal ldap/loadbalancer at MYDOMAIN. However in such case I think I 
will not be able to bind directly to the ldap servers (not via 
loadbalancer) as my clients will ask for tickets like 
ldap/server1 at MYDOMAIN or ldap/server2 at MYDOMAIN. Probably it is possible 
to assign same keys to three different principals 
ldap/loadbalancer at MYDOMAIN, ldap/server1 at MYDOMAIN, and 
ldap/server2 at MYDOMAIN but I don't know how I can do it.

Is there any standard way of organizing loadbalancing between kerberized 
services?

Thanx a lot and best regards, vadim tarassov.



More information about the Kerberos mailing list