[39495] in Kerberos
Re: spn alias
daemon@ATHENA.MIT.EDU (Ken Hornstein via Kerberos)
Thu Mar 6 22:19:59 2025
Message-Id: <202503070110.5271AcT0029382@hedwig.cmf.nrl.navy.mil>
To: <kerberos@mit.edu>
In-Reply-To: <CALF+FNwB=07CbW5Do4E+C-C6D8T3bXhUX4PMHbkdnwGT9ewXfw@mail.gmail.com>
MIME-Version: 1.0
Date: Thu, 06 Mar 2025 20:10:38 -0500
From: Ken Hornstein via Kerberos <kerberos@mit.edu>
Reply-To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>Unfortunately, the Cyrus SASL library used by OpenLDAP has a limitation in
>the GSSAPI mechanism, which is that it supports only a single service
>principal name(*). By default, that's ldap/<hostname>, using the machine's
>configured FQDN. You can configure it to use a different name, such as the
>one belonging to the shared load balancer VIP, but I'm afraid I don't
>recall exactly how offhand (and I'm not in front of a computer). So, you
>can support the server's individual name or the shared name, but not both.
If you are using MIT Kerberos (anything 1.10 or newer) on the LDAP server,
you can use the krb5.conf configuration entry "ignore_acceptor_hostname"
to allow the server to match on any valid hostname. See details here:
https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html#libdefaults
Should do what you want.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
