Hi,
Using LDAP as the back end for Kerberos principals and openldap 2.3.43 as the client on the Kerberos servers, I see it's possible to add some failover with ldap_servers in /etc/krb5.conf and URI in /etc/openldap/ldap.conf.
For example:
/etc/krb5.conf: ldap_servers = ldaps://hostname1:636 ldaps://hostname2:636 /etc/openldap/ldap.conf: URI ldaps://hostname1:636 ldaps://hostname2:636
In our situation, the ldap servers are behind a BigIP so only a single hostname can be entered. I'm curious if it makes any sense to add the BigIP hostname twice? Once the initial connection is made by the Kerberos server to the first ldap server are there any failure scenarios that the below would make any sense?
/etc/krb5.conf: ldap_servers = ldaps://<bigip hostname>:636 ldaps://<bigip hostname>:636 /etc/openldap/ldap.conf: URI ldaps://<bigip hostname>:636 ldaps://<bigip hostname>:636
Hopefully it makes sense what I'm asking and thanks for your time.
Regards,
Kevin