[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ldap server failover on Kerberos servers?
- To: openldap-technical@openldap.org
- Subject: ldap server failover on Kerberos servers?
- From: Kevin Longfellow <klongfel@yahoo.com>
- Date: Tue, 28 Dec 2010 06:29:39 -0800 (PST)
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1293546579; bh=iGCXCRdygax2X9CLYBEhV8fNr49WN5lljZ1ApudSs3M=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=1an5BYBVH37MfWIL1uZkZD8QsDFBzgdDnMDTMJfptRzp1t0cp+mPinolaP4RQB6qj8QeY033/cpCqchFc8KisXawHDyn3d81T4fbkDqTCeWfjOfvx5ts4u6K9az/bC7+Hb3KI2zqBzCCUj4heNlqeKxl6DsR428JwR/HKXDdsVU=
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=bAA9V4HU0mw8EvBKz2s/cVZ6WtugSOOZupdQwDhMh7Y5Sh/e/Fo1OsYlCNYBDfjWApMNCnq5RS81y9iMV3gH9+98e3THdGiSnirYk4z1dDSS06EEZBb7i4YtODuH75+Mm9wrk2TYO/KD7qFTRcqvviXqXrQD9/mk1xayZdHhUSY=;
Hi,
Using LDAP as the back end for Kerberos principals and openldap 2.3.43 as the
client on the Kerberos servers, I see it's possible to add some failover with
ldap_servers in /etc/krb5.conf and URI in /etc/openldap/ldap.conf.
For example:
/etc/krb5.conf: ldap_servers = ldaps://hostname1:636 ldaps://hostname2:636
/etc/openldap/ldap.conf: URI ldaps://hostname1:636 ldaps://hostname2:636
In our situation, the ldap servers are behind a BigIP so only a single hostname
can be entered. I'm curious if it makes any sense to add the BigIP hostname
twice? Once the initial connection is made by the Kerberos server to the first
ldap server are there any failure scenarios that the below would make any sense?
/etc/krb5.conf: ldap_servers = ldaps://<bigip hostname>:636 ldaps://<bigip
hostname>:636
/etc/openldap/ldap.conf: URI ldaps://<bigip hostname>:636 ldaps://<bigip
hostname>:636
Hopefully it makes sense what I'm asking and thanks for your time.
Regards,
Kevin