Re: ldap server failover on Kerberos servers?

[Chris Jacobs <Chris.Jacobs@apollogrp.edu>]

As far as OpenLDAP is concerned no.  And frankly, I'd be surprised if that made a difference for anything else.

Kinda the whole point of the VIP. :)

FWIW: I'm not using Kerberos, but all my servers are behind VIPs.

- chris

Chris Jacobs, Systems Administrator
Apollo Group  |  Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.839-8245 | cell: 206.601.3256 | Fax: 208.441.9661
email:  chris.jacobs@apollogrp.edu

----- Original Message -----
From: openldap-technical-bounces@OpenLDAP.org <openldap-technical-bounces@OpenLDAP.org>
To: openldap-technical@openldap.org <openldap-technical@openldap.org>
Sent: Tue Dec 28 07:29:39 2010
Subject: ldap server failover on Kerberos servers?


Hi,

Using LDAP as the back end for Kerberos principals and openldap 2.3.43 as the
client on the Kerberos servers, I see it's possible to add some failover with
ldap_servers in /etc/krb5.conf and URI in /etc/openldap/ldap.conf.

For example:

/etc/krb5.conf: ldap_servers = ldaps://hostname1:636 ldaps://hostname2:636
/etc/openldap/ldap.conf: URI ldaps://hostname1:636 ldaps://hostname2:636

In our situation, the ldap servers are behind a BigIP so only a single hostname
can be entered.  I'm curious if it makes any sense to add the BigIP hostname
twice?  Once the initial connection is made by the Kerberos server to the first
ldap server are there any failure scenarios that the below would make any sense?

/etc/krb5.conf: ldap_servers = ldaps://<bigip hostname>:636 ldaps://<bigip
hostname>:636
/etc/openldap/ldap.conf: URI ldaps://<bigip hostname>:636 ldaps://<bigip
hostname>:636

Hopefully it makes sense what I'm asking and thanks for your time.

Regards,

Kevin






This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.