Show Table of Contents
Chapter 4. Advanced Setup and Configuration
After the default Directory Server and Admin Server have been configured, there are tools available to manage, create, and remove server instances. These include Admin Server configurations to allow people to access the Directory Server files remotely, silent setup tools for installing instances from file configuration, and instance setup and removal scripts.
4.1. Installing Directory Server Behind a Load Balancer
As an administrator, you want to install two Directory Server instances behind a load balancer to provide high availability. For a working Generic Security Services API (GSSAPI) setup, you want to disable the strict host name check during the Directory Server installation and set the Directory Server host name configuration to the DNS name of the load balancer.
If a user accesses a service using GSSAPI, the Kerberos principal includes the DNS name of the service's host. In case the user connects to a load balancer, the principal contains the DNS name of the load balancer and not the one from the Directory Server. For example:
ldap/loadbalancer.example.com@EXAMPLE.COM. For a working connection, the Directory Server the request is forwarded to, must use the name of the load balancer, even if its DNS name is different, such as ldap1.example.com.
To set up this scenario, follow the steps below for each Directory Server to install behind the load balancer:
- Set up the Directory Server instance using the DNS name of the load balancer and disable the strict host name check:
# setup-ds-admin.pl General.StrictHostCheck=false \ General.FullMachineName=loadbalancer.example.com - Follow the steps described in Chapter 3, Setting up Red Hat Directory Server on Red Hat Enterprise Linux to finalize the Directory Server installation.
- Create a Kerberos principal for the load balancer. For example:
ldap/loadbalancer.example.com@EXAMPLE.COMOptionally, you can add further principals to the keytab file. For example, to enable users to connect to the Directory Server instance behind the load balancer directly using Kerberos authentication, add additional principals for the Directory Server host. For example:ldap/ldap1.example.com@EXAMPLE.COM.The procedure to create the service principal depends on your Kerberos installation. For details, see your Kerberos server's documentation. - Copy the service keytab file to the Directory Server. For example, to
/etc/dirsrv/slapd-instance_name/ldap.keytab - Add the path to the service keytab to
/etc/sysconfig/dirsrv-instance_name:KRB5_KTNAME=/etc/dirsrv/slapd-instance_name/ldap.keytab
- Restart the Directory Server service:
# systemctl restart dirsrv@instance_name
- Verify that you can connect to the load balancer using the GSSAPI protocol. For example:
# ldapsearch -H ldap://loadbalancer.example.com -Y GSSAPI
If you added additional Kerberos principals to the keytab file, such as for the Directory Server host itself, additionally verify these connections. For example:# ldapsearch -H ldap://ldap1.example.com -Y GSSAPI
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.