Chapter 4. Advanced Setup and Configuration

After the default Directory Server and Admin Server have been configured, there are tools available to manage, create, and remove server instances. These include Admin Server configurations to allow people to access the Directory Server files remotely, silent setup tools for installing instances from file configuration, and instance setup and removal scripts.

4.1. Installing Directory Server Behind a Load Balancer

As an administrator, you want to install two Directory Server instances behind a load balancer to provide high availability. For a working Generic Security Services API (GSSAPI) setup, you want to disable the strict host name check during the Directory Server installation and set the Directory Server host name configuration to the DNS name of the load balancer.
If a user accesses a service using GSSAPI, the Kerberos principal includes the DNS name of the service's host. In case the user connects to a load balancer, the principal contains the DNS name of the load balancer and not the one from the Directory Server. For example: ldap/loadbalancer.example.com@EXAMPLE.COM. For a working connection, the Directory Server the request is forwarded to, must use the name of the load balancer, even if its DNS name is different, such as ldap1.example.com.
To set up this scenario, follow the steps below for each Directory Server to install behind the load balancer:
  1. Set up the Directory Server instance using the DNS name of the load balancer and disable the strict host name check:
    # setup-ds-admin.pl General.StrictHostCheck=false \
                        General.FullMachineName=loadbalancer.example.com
  2. Follow the steps described in Chapter 3, Setting up Red Hat Directory Server on Red Hat Enterprise Linux to finalize the Directory Server installation.
  3. Create a Kerberos principal for the load balancer. For example: ldap/loadbalancer.example.com@EXAMPLE.COM
    Optionally, you can add further principals to the keytab file. For example, to enable users to connect to the Directory Server instance behind the load balancer directly using Kerberos authentication, add additional principals for the Directory Server host. For example: ldap/ldap1.example.com@EXAMPLE.COM.
    The procedure to create the service principal depends on your Kerberos installation. For details, see your Kerberos server's documentation.
  4. Copy the service keytab file to the Directory Server. For example, to /etc/dirsrv/slapd-instance_name/ldap.keytab
  5. Add the path to the service keytab to /etc/sysconfig/dirsrv-instance_name:
    KRB5_KTNAME=/etc/dirsrv/slapd-instance_name/ldap.keytab
  6. Restart the Directory Server service:
    # systemctl restart dirsrv@instance_name
  7. Verify that you can connect to the load balancer using the GSSAPI protocol. For example:
    # ldapsearch -H ldap://loadbalancer.example.com -Y GSSAPI
    If you added additional Kerberos principals to the keytab file, such as for the Directory Server host itself, additionally verify these connections. For example:
    # ldapsearch -H ldap://ldap1.example.com -Y GSSAPI