Problem Load-balancing LDAP with GSSAPI using SASL Authentication

Hi inayamat, hi Yves,

SASL/GSSAPI depends on Kerberos session keys devired from TGS Tickets to authenticate and secure the LDAP(S) connection.

Whenever Load-Balancing meets Kerberos, you have to make sure that the load balanced services are all running under the same Service-Account, so that a single DNS Entry >> SPN Record >> Kerberos-TGS can be used to access and authenticate against every single pool member (its a MUST have).

Unfortunately an Active Directory Domain Controller can not be configured to use custom Service-Account to run its AD-LDAP Database. It will always use its Computer-Account identity and therefor simply won't work in a load balanced cluster.

Note: With AD LDS (Active Directory Lightweight Directory Services) you can configure a LDAP Service-Account of your choice, so that using LDAP-SASL/GSSAPI in combination with Load-Balancing isn't a problem anymore...

Note: You can also try to use a non-existen DNS Name while accessing the load balanced LDAPs. This will result normaly in a failback to NTLM. But keep in mind that its not garanteed that every client is able to perform the failback...

Cheers, Kai