Forum Discussion

inayamat_216028's avatar
inayamat_216028
Icon for Nimbostratus rankNimbostratus
Nov 24, 2015

Problem Load-balancing LDAP with GSSAPI using SASL Authentication

Hello,

 

We are trying to perform LDAP Load-balancing with F5 BIG-IP 12.0.0 Build 0.0.606 Final VE on port 389 using Windows 2012 R2 Active Directory Domain Controllers as pool members.

 

We have the load-balancing working on at the port level because ldapsearch with simple bind works. But we run into problems when we try SASL Authentication.

 

It appears that when we try ldapsearch with option -Y GSSAPI, we get an error:

 

SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)

 

When we put in an alias in the client's /etc/hosts file for the Virtual Server IP with the hostname of the Microsoft Active Directory Domain Controller, the ldapsearch works:

 

root@lab01:~ ldapsearch -Y GSSAPI -b "ou=Accounts,dc=XXX,dc=com" "(&(objectClass=user)(XXX=username))" -h 172.16.1.XXX \SASL/GSSAPI authentication started SASL username: username@domain.COM SASL SSF: 56 SASL installing layers

 

extended LDIF LDAPv3 base with scope subtree filter: (&(objectClass=user)(XXX=username)) requesting: ALL search result

search: 4 result: 0 Success

 

numResponses: 1

It looks like somewhere in the SASL Authentication process, there is a reverse lookup of the source IP, and if the reverse lookup of the source IP does not match the hostname of the responding domain controller, the SASL Authentication fails.

 

When we place 2 domain controllers into the pool, the ldapsearch will toggle between success and failure. And when it fails, I get this error message:

 

root@lab01:~ ldapsearch -Y GSSAPI -b "ou=Accounts,dc=domain,dc=com" "(&(objectClass=user)(XXX=username))" -h 172.16.1.XXX SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Message stream modified)

 

It looks like if the reverse lookup does not match the responding domain controller, the SASL client thinks that the response was spoofed (Message stream modified).

 

F5 Support already looked at this and did their best, but ended up telling me that resolution to this problem is out of scope.

 

So I wanted to see if someone else has already got something like this working, or if there are any possible iRule based solution for load-balancing LDAP with SASL Authentication.

 

Thank you

 

application delivery
BIG-IP
iRules

2 Replies

Sort By
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Apr 09, 2017

    Hi inayamat, hi Yves,

     

    SASL/GSSAPI depends on Kerberos session keys devired from TGS Tickets to authenticate and secure the LDAP(S) connection.

     

    Whenever Load-Balancing meets Kerberos, you have to make sure that the load balanced services are all running under the same Service-Account, so that a single DNS Entry >> SPN Record >> Kerberos-TGS can be used to access and authenticate against every single pool member (its a MUST have).

     

    Unfortunately an Active Directory Domain Controller can not be configured to use custom Service-Account to run its AD-LDAP Database. It will always use its Computer-Account identity and therefor simply won't work in a load balanced cluster.

     

    Note: With AD LDS (Active Directory Lightweight Directory Services) you can configure a LDAP Service-Account of your choice, so that using LDAP-SASL/GSSAPI in combination with Load-Balancing isn't a problem anymore...

     

    Note: You can also try to use a non-existen DNS Name while accessing the load balanced LDAPs. This will result normaly in a failback to NTLM. But keep in mind that its not garanteed that every client is able to perform the failback...

     

    Cheers, Kai