You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, when requesting Kerberos ticket to the LDAP service, the JAAS login module (such as LdapDnAuthorizationModule) builds SPN by prepending "ldap/" to hostname specified in the ldapUrl. So if in the login module parameters appears:
ldapUrl="ldap://dc1.mydomain.local:389"
then the SPN will be "ldap/dc1.mydomain.local".
This actually forces me to list specific DC or DCs in the ldapUrl, which, of course, isn't very flexible and can lead to problems, if these DCs are decomissioned and replaced by new ones.
In Active Directory, such discovery problems are solved by so-called SRV records in DNS. For example, SRV record
_ldap._tcp.mydomain.local
contains regular A (host) records for all DCs of mydomain.local. Other examples may include:
_ldap._tcp.London._sites.mydomain.local
means "all DCs in the London site",
_gc._tcp.mydomain.local
means "all Global Catalogs in the domain",
and so on.
It would be great, if ldaptive login modules could make use of this mechanism.
For instance, if they could to do this:
Get the URL in the format like ldapUrl="ldap://_gc._tcp.mydomain.local:3268,SRV" or something similar,
Understand that it's SRV record, not a hostname,
Resolve the record to specific hostname or hostnames (such as dc1.mydomain.local),
Pick up one of these hostnames, build an SPN out of it and then get a service ticket for this SPN, as usual.
Thanks!
Cat Mucius.
The text was updated successfully, but these errors were encountered:
Currently, when requesting Kerberos ticket to the LDAP service, the JAAS login module (such as LdapDnAuthorizationModule) builds SPN by prepending "ldap/" to hostname specified in the ldapUrl. So if in the login module parameters appears:
ldapUrl="ldap://dc1.mydomain.local:389"
then the SPN will be "ldap/dc1.mydomain.local".
This actually forces me to list specific DC or DCs in the ldapUrl, which, of course, isn't very flexible and can lead to problems, if these DCs are decomissioned and replaced by new ones.
In Active Directory, such discovery problems are solved by so-called SRV records in DNS. For example, SRV record
_ldap._tcp.mydomain.local
contains regular A (host) records for all DCs of mydomain.local. Other examples may include:
_ldap._tcp.London._sites.mydomain.local
means "all DCs in the London site",
_gc._tcp.mydomain.local
means "all Global Catalogs in the domain",
and so on.
It would be great, if ldaptive login modules could make use of this mechanism.
For instance, if they could to do this:
Thanks!
Cat Mucius.
The text was updated successfully, but these errors were encountered: