[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldap server failover on Kerberos servers?


Using LDAP as the back end for Kerberos principals and openldap 2.3.43 as the 
client on the Kerberos servers, I see it's possible to add some failover with 
ldap_servers in /etc/krb5.conf and URI in /etc/openldap/ldap.conf.

For example:

/etc/krb5.conf: ldap_servers = ldaps://hostname1:636 ldaps://hostname2:636
/etc/openldap/ldap.conf: URI ldaps://hostname1:636 ldaps://hostname2:636

In our situation, the ldap servers are behind a BigIP so only a single hostname 
can be entered.  I'm curious if it makes any sense to add the BigIP hostname 
twice?  Once the initial connection is made by the Kerberos server to the first 
ldap server are there any failure scenarios that the below would make any sense?

/etc/krb5.conf: ldap_servers = ldaps://<bigip hostname>:636 ldaps://<bigip 
/etc/openldap/ldap.conf: URI ldaps://<bigip hostname>:636 ldaps://<bigip 

Hopefully it makes sense what I'm asking and thanks for your time.