On ma, 11 maalis 2019, Callum Smith wrote:
Dear Alexander,
We're wondering that too, there's obviously a disparity between the
domain that either end is issuing the LDAP ticket for, and the SRV
records for the `virt.in.bmrc.ox.ac.uk` domain all point to the LDAP
endpoint. Do i need specific SRV records for ldaps and not ldap? I
earlier attached a screenshot of our domain setup for the VIRT
subdomain.
I fear the opposite may be the case and the client is requesting the
correct one but the ldap server is defaulting to the root domain not
the subdomain.
Well, the server is doing the right thing as it doesn't know anything
about the subdomain's hostname. Kernel has only a single hostname.
Can you do a check like this from the client:
export KRB5_TRACE=/dev/stderr
kinit admin
ldapsearch -Y GSSAPI -h ipa-b.virt.in.bmrc.ox.ac.uk -b
dc=in,dc=bmrc,dc=ox,dc=ac,dc=uk -s base
Regards,
Callum
--
Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk<mailto:cal...@well.ox.ac.uk>
On 11 Mar 2019, at 16:19, Alexander Bokovoy
<aboko...@redhat.com<mailto:aboko...@redhat.com>> wrote:
On ma, 11 maalis 2019, Callum Smith wrote:
Locally on the IPA server I note that doing an ldapsearch using GSSAPI works,
if i use the ldap host:
ldaps://ipa-b.in.bmrc.ox.ac.uk/
but not:
ldaps://ipa-b.virt.in.bmrc.ox.ac.uk/
Since the client can only access the network that is
ipa-b.virt.in.bmrc.ox.ac.uk it needs to be able to communicate to LDAP
via that hostname. Is this actually possible, since the TGT is _always_
going to be on ipa-b.$domain because of the nsslapd-localhost entry?
Question I have is why the client actually chooses ldap/ipa-b.$domain
itself? This is probably the easiest place to change since it is driven
by the DNS discovery so you can influence by whatever is put in the DNS
SRV records.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
