Hi,
This is for MIT Kerberos with the KDC's using a ldap back end.
From the documentation, it states that a whitespace-separated list of ldap
servers can be specified for ldap_servers=. I'm assuming that is some type of
failover list? We have a F5 LTM setup with a single load balance dns name for
all the ldap servers. This way we have failover across data centers. My
questions about this are:
1) when does this whitespace-separated list failover? Is it only at krb5kdc
service startup or after the krb5kdc service is started will the krb5kdc
process use the whitespace-separated list and attempt to failover if an issue
is encountered?
2) since we only have a single load balanced dns name for all the ldap servers,
can I simply put this in multiple times and will it retry based on the list?
For example:
ldap_servers = ldaps://f5ltm.domain.com ldaps://f5ltm.domain.com
ldaps://f5ltm.domain.com
Hope it's clear what I'm asking. Basically if I put the same ldap server
(ldaps://f5ltm.domain.com) in multiple times will it retry the same ldap server
again? Will it go back to the first after trying the last?
We lost connection to the ldap back end with "LDAP handle unavailable" in the
krb5kdc log. Those that manage the ldap server back end tell me all they want
to provide is a single dns name and they manage all the failover. For the most
part it works well but I'm just wondering if listing the same name a few or
several times would provide failover and might have avoided the outage?
- ldap_servers
- This LDAP-specific tag indicates the list of LDAP servers that
theKerberos servers can connect to. The list of LDAP servers
iswhitespace-separated. The LDAP server is specified by a LDAP URI.It is
recommended to use ldapi: or ldaps: URLs to connectto the LDAP server.
Thanks, Kevin
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
