Chapter 3. Installing Directory Server with Kerberos authentication behind a load balancer

To provide high availability, install two Directory Server instances behind a load balancer. Users must be able to authenticate with Kerberos.

Note

Setting up this scenario is supporting only using the command line.

Setting up this scenario contains the following steps:

Prerequisites

3.1. Understanding the differences when setting up an instance with Kerberos behind a load balancer

If a user accesses a service using Generic Security Services API (GSSAPI), the Kerberos principal includes the DNS name of the service’s host. In case the user connects to a load balancer, the principal contains the DNS name of the load balancer and not the DNS name from Directory Server. For example: ldap/loadbalancer.example.com@EXAMPLE.COM.

To facilitate successful connection, the Directory Server instance that receives the request must use the same name as the load balancer, even if the load balancer DNS name is different.

3.2. Creating a .inf file for a Directory Server instance installation

In this section you learn how to create a .inf configuration file for the dscreate utility and how to adjust the .inf file to your environment. In a later step, you will use this file to create the new Directory Server instance.

Procedure

  1. Use the dscreate create-template command to create a template .inf file. For example, to store the template in the /root/instance_name.inf file:

    # dscreate create-template /root/instance_name.inf

    The created file contains all available parameters with descriptions

  2. Edit the file that you create in the previous step:

    1. Uncomment the parameters that you want to set to customize the installation.

      Note

      All parameters have defaults. However, Red Hat recommends to customize certain parameters for a production environment.

      For example, set at least the following parameters:

      [slapd]
      # instance_name (str)
      # Description: ...
      # Default value: localhost
      instance_name = instance_name
      
      # root_password (str)
      # Description: ...
      # Default value: directory manager password
      root_password = password

      The template file that you create with the dscreate create-template command contains the comprehensive list of parameters you can configure in these sections.

    2. To use the instance behind a load balancer with GSSAPI authentication, set the full_machine_name parameter in the [general] section to the fully-qualified domain name (FQDN) of the load balancer instead of the FQDN of the Directory Server host:

      [general]
      # full_machine_name (str)
      # Description: ...
      # Default value: loadbalancer.example.com
      full_machine_name = loadbalancer.example.com

      For details, see Section 3.1, “Understanding the differences when setting up an instance with Kerberos behind a load balancer”.

    3. Uncomment the strict_host_checking parameter in the [general] section and set it to False:

      # strict_host_checking (bool)
      # Description: ...
      # Default value: True
      strict_host_checking = False
    4. To automatically create a suffix during instance creation:

      1. Uncomment the create_suffix_entry parameter, and set it to true:

        # create_suffix_entry (bool)
        # Description: ...
        # Default value: False
        create_suffix_entry = True
      2. Uncomment the suffix parameter, and set a suffix:

        # suffix (str)
        # Description: ...
        # Default value:
        suffix = dc=example,dc=com
        Important

        Instead of creating the suffix during instance creation, you can create it later as described in Creating Databases in the Red Hat Directory Server Administration Guide. However, without creating a suffix, you cannot store data in this instance.

    5. Optionally, uncomment other parameters and set them to appropriate values for your environment. For example, use these parameters to specify different ports for the LDAP and LDAPS protocol.

      Note

      By default, new instances that you create include a self-signed certificate and TLS enabled. For increased security, Red Hat recommends that you do not disable this feature. Note that you can replace the self-signed certificate with a certificate issued by a Certificate Authority (CA) at a later date.

Additional resources

  • For a full list of parameters that you can set in the .inf file and descriptions of each parameter, see the template file that the dscreate create-template command creates.
  • For details about installing a certificate after the installation, see the Managing the NSS Database Used by Directory Server section in the Red Hat Directory Server Administration Guide.

3.3. Using a .inf file to set up a new Directory Server instance

This section describes how to use a .inf file to set up a new Directory Server instance using the command line.

Prerequisites

Procedure

  1. Pass the .inf file to the dscreate from-file command to create the new instance. For example:

    # dscreate from-file /root/instance_name.inf
    Starting installation...
    Completed installation for instance_name

    The created instance is automatically started and configured to start when the system boots.

  2. Open the required ports in the firewall. See Section 3.4, “Opening required ports in the firewall”

3.4. Opening required ports in the firewall

To allow other machines to connect to Directory Server over the network, open the required ports in the local firewall.

If no ports were specified during the instance creation, the instance uses port 389 for the LDAP and port 636 for the LDAPS protocol.

Prerequisites

  • The port numbers for the LDAP and LDAPS protocols set during the instance creation.

Procedure

  1. Ensure that the firewalld service is running.

    • To find out if firewalld is currently running:

      # systemctl status firewalld
      ● firewalld.service - firewalld - dynamic firewall daemon
         Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
         Active: active (running) since Fri 2018-06-15 14:06:33 CEST; 1h 17min ago
         ...
    • To start firewalld and configure the service to start automatically when the system boots:

      # systemctl start firewalld
      # systemctl enable firewalld
  2. Open the required ports using the firewall-cmd utility. For example, to open the LDAP and LDAPS default ports in the default firewall zone:

    # firewall-cmd --permanent --add-port={389/tcp,636/tcp}
  3. Reload the firewall configuration to ensure that the change occurs immediately:

    # firewall-cmd --reload

Additional resources

  • For details on using firewall-cmd to open ports on a system, see the Red Hat Enterprise Linux Security Guide or the firewall-cmd(1) man page.

3.5. Creating a keytab for the load balancer and configuring Directory Server to use the keytab

Before user can authenticate to Directory Server behind a load balancer using GSSAPI, you must create a Kerberos principal for the load balancer and configure Directory Server to use the Kerberos principal. This section describes this procedure.

Prerequisites

An instance that contains the following .inf file configuration:

  • The full_machine_name parameter set to the DNS name of the load balancer.
  • The strict_host_checking parameter set to False.

Procedure

  1. Create the Kerberos principal for the load balancer. For example, ldap/loadbalancer.example.com@EXAMPLE.COM
  2. Optionally, you can add further principals to the keytab file. For example, to enable users to connect to the Directory Server instance behind the load balancer directly using Kerberos authentication, add additional principals for the Directory Server host. For example, ldap/server1.example.com@EXAMPLE.COM.

    The procedure to create the service principal depends on your Kerberos installation. For details, see your Kerberos server’s documentation.

  3. Copy the service keytab file to the Directory Server. For example, store it in the /etc/dirsrv/slapd-instance_name/ldap.keytab file.
  4. Add the path to the service keytab to the /etc/sysconfig/slapd-instance_name file:

    KRB5_KTNAME=/etc/dirsrv/slapd-instance_name/ldap.keytab
  5. Restart the Directory Server instance:

    # systemctl restart dirsrv@instance_name
  6. Verify that you can connect to the load balancer using the GSSAPI protocol. For example:

    # ldapsearch -H ldap://loadbalancer.example.com -Y GSSAPI

    If you added additional Kerberos principals to the keytab file, such as for the Directory Server host itself, you must also verify these connections. For example:

    # ldapsearch -H ldap://server1.example.com -Y GSSAPI