LDAP

LDAP

关注
发信
关注(28)粉丝(399)

使用简单绑定将LDAPS负载平衡到Active Directory

本文介绍了使用简单绑定将LDAPS负载平衡到Active Directory的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

有人可以帮助我解决以下问题

Can someone please help me with the following question

我从本文了解到 https://social.technet.microsoft.com/wiki/contents/articles/33547.load-balancers-and-active-directory.aspx 并不是在AD中负载均衡LDAP的好主意,因为Kerberos

I understand from this article https://social.technet.microsoft.com/wiki/contents/articles/33547.load-balancers-and-active-directory.aspx that is not a good idea to load balance LDAP in AD because of Kerberos

但是我的情况略有不同.我有一个非Windows设备,该设备使用简单绑定(明文密码)连接到AD域控制器.

However my situation is slightly different. I have an non-windows appliance that uses simple bind (password in clear text) to connect to the AD domain controller.

然后我们实施了LDAPS(证书),因此即使它是一个简单的绑定,它现在也已使用SSL/TLS加密

We then implemented LDAPS (certificate) so even though it is a simple bind it is now encrypted with SSL/TLS

因此,如果客户端执行简单绑定(例如,不使用SASL),我认为没有Kerberos交换,因此Kerberos负载平衡问题不适用,对吗?

So, if the client does a simple bind (e.g. does not use SASL) I presume there is no Kerberos exchange, and therefore the issue of load balancing Kerberos does not apply, is that correct?

非常感谢

CXMelga

推荐答案

您的理解是正确的.您引用的文章是针对"AD集成"的Kerberos/NTLM身份验证的.应用程序.通过LDAP向AD进行身份验证是另一回事.我支持一个中型(15k帐户)组织,并且有许多应用程序通过负载平衡的虚拟IP通过SSL上的LDAP通过AD进行身份验证.唯一的陷阱"是每个域控制器的证书都需要为分配给负载平衡器VIP的主机名包含一个SAN(主题备用名称).并非所有 LDAP客户端都困扰于证书验证(或者,某些LDAP客户端让您忽略证书错误),但是您将花费更少的时间来解决"LDAP问题".如果您使用对组织有效的证书,那确实是信任协商的问题(这可能意味着公共证书供应商,包括让我们加密免费证书...尽管我不知道我想续签我的证书)每隔90天DC证书,或者可能意味着一个内部CA,该内部CA被组织中的所有计算机信任),同时具有DC主机名和负载平衡器地址的主机名.

You are correct in your understanding. The article you cite is speaking to Kerberos / NTLM authentication for "AD-integrated" applications. Authenticating to AD via LDAP is a different matter. I support a mid-sized (15k account) organization and have many applications authenticating to AD via LDAP over SSL through a load balanced virtual IP. The only "gotcha" is that each domain controller's certificate needs to include a SAN (subject alternative name) for the hostname you assign to the load balancer VIP. Not all LDAP clients bother with certificate validation (or, rather, some LDAP clients let you ignore certificate errors), but you'll spend a lot less time troubleshooting "LDAP problems" that are really trust negotiation problems if you use a valid-for-your-org certificate (this may mean a public cert vendor, including the Let's Encrypt free certs ... although I don't know that I'd want to renew my DC certs every 90 days, or may mean an internal CA that's trusted by all of the computers in your org) with both the DC hostname and load balancer address's hostname associated to it.

这篇关于使用简单绑定将LDAPS负载平衡到Active Directory的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

10-27 21:28
Powered by LMLPHP ©2024 LDAP 0.006026