Active Directory: Support load-balanced LDAP servers #718
Description
Affected Stackable version
25.3
Affected OpenPolicyAgent version
irrelevant, user-info-fetcher
Current and expected behavior
Currently, we don't support connecting to LDAP servers that are behind DNS-based load balancing, instead just returning a kind-of-useless "not found in Kerberos database" error.
This is because we disable krb5's DNS canonicalization. Normally, it does a "canonicalization dance" for each request. Let's say we try to connect to ldap-lb. That would then be resolved to 1.2.3.4, which is what we do a TCP connection to. Then it would do a reverse DNS (PTR) query for the IP address (1.2.3.4), which returns the hostname for that specific replica (ldap-1). Then it'd use that hostname to build the Kerberos principal that we validate against (ldap/[email protected]).
We disable DNS canonicalization, because it causes other problems in K8s (K8s pods have inconsistent PTR results, which would cause other similar issues depending on the order returned...). That makes krb5 use the specified hostname for the principal instead (ldap/[email protected]). The LDAP server doesn't have that principal, so we fail to authenticate. (The actual "Kerberos database" error is because the Kerberos KDC doesn't have any registered principal with that name.)
Possible solution
I honestly don't know.
We can't just blanket-enable canonicalization, because of the aforementioned K8s issues. But we also need to handle this in some way. Maybe we'll need some flag on which krb5.conf to generate, but that feels like a slippery road to start walking.
Additional context
No response
Environment
No response
Would you like to work on fixing this bug?
None