Problem Load-balancing LDAP with GSSAPI using SASL Authentication
Hello,
We are trying to perform LDAP Load-balancing with F5 BIG-IP 12.0.0 Build 0.0.606 Final VE on port 389 using Windows 2012 R2 Active Directory Domain Controllers as pool members.
We have the load-balancing working on at the port level because ldapsearch with simple bind works. But we run into problems when we try SASL Authentication.
It appears that when we try ldapsearch with option -Y GSSAPI, we get an error:
SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
When we put in an alias in the client's /etc/hosts file for the Virtual Server IP with the hostname of the Microsoft Active Directory Domain Controller, the ldapsearch works:
root@lab01:~ ldapsearch -Y GSSAPI -b "ou=Accounts,dc=XXX,dc=com" "(&(objectClass=user)(XXX=username))" -h 172.16.1.XXX \SASL/GSSAPI authentication started SASL username: username@domain.COM SASL SSF: 56 SASL installing layers
extended LDIF LDAPv3 base with scope subtree filter: (&(objectClass=user)(XXX=username)) requesting: ALL search result
search: 4 result: 0 Success
numResponses: 1
It looks like somewhere in the SASL Authentication process, there is a reverse lookup of the source IP, and if the reverse lookup of the source IP does not match the hostname of the responding domain controller, the SASL Authentication fails.
When we place 2 domain controllers into the pool, the ldapsearch will toggle between success and failure. And when it fails, I get this error message:
root@lab01:~ ldapsearch -Y GSSAPI -b "ou=Accounts,dc=domain,dc=com" "(&(objectClass=user)(XXX=username))" -h 172.16.1.XXX SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Message stream modified)
It looks like if the reverse lookup does not match the responding domain controller, the SASL client thinks that the response was spoofed (Message stream modified).
F5 Support already looked at this and did their best, but ended up telling me that resolution to this problem is out of scope.
So I wanted to see if someone else has already got something like this working, or if there are any possible iRule based solution for load-balancing LDAP with SASL Authentication.
Thank you