Hi,
Using LDAP as the back end for Kerberos principals and openldap 2.3.43 as the client on the Kerberos servers, I see it's possible to add some failover with ldap_servers in /etc/krb5.conf and URI in /etc/openldap/ldap.conf.
For example:
/etc/krb5.conf: ldap_servers = ldaps://hostname1:636 ldaps://hostname2:636 /etc/openldap/ldap.conf: URI ldaps://hostname1:636 ldaps://hostname2:636
In our situation, the ldap servers are behind a BigIP so only a single hostname can be entered. I'm curious if it makes any sense to add the BigIP hostname twice? Once the initial connection is made by the Kerberos server to the first ldap server are there any failure scenarios that the below would make any sense?
/etc/krb5.conf: ldap_servers = ldaps://<bigip hostname>:636 ldaps://<bigip hostname>:636 /etc/openldap/ldap.conf: URI ldaps://<bigip hostname>:636 ldaps://<bigip hostname>:636
Hopefully it makes sense what I'm asking and thanks for your time.
Regards,
Kevin
As far as OpenLDAP is concerned no. And frankly, I'd be surprised if that made a difference for anything else.
Kinda the whole point of the VIP. :)
FWIW: I'm not using Kerberos, but all my servers are behind VIPs.
- chris
Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.839-8245 | cell: 206.601.3256 | Fax: 208.441.9661 email: chris.jacobs@apollogrp.edu
----- Original Message ----- From: openldap-technical-bounces@OpenLDAP.org openldap-technical-bounces@OpenLDAP.org To: openldap-technical@openldap.org openldap-technical@openldap.org Sent: Tue Dec 28 07:29:39 2010 Subject: ldap server failover on Kerberos servers?
Hi,
Using LDAP as the back end for Kerberos principals and openldap 2.3.43 as the client on the Kerberos servers, I see it's possible to add some failover with ldap_servers in /etc/krb5.conf and URI in /etc/openldap/ldap.conf.
For example:
/etc/krb5.conf: ldap_servers = ldaps://hostname1:636 ldaps://hostname2:636 /etc/openldap/ldap.conf: URI ldaps://hostname1:636 ldaps://hostname2:636
In our situation, the ldap servers are behind a BigIP so only a single hostname can be entered. I'm curious if it makes any sense to add the BigIP hostname twice? Once the initial connection is made by the Kerberos server to the first ldap server are there any failure scenarios that the below would make any sense?
/etc/krb5.conf: ldap_servers = ldaps://<bigip hostname>:636 ldaps://<bigip hostname>:636 /etc/openldap/ldap.conf: URI ldaps://<bigip hostname>:636 ldaps://<bigip hostname>:636
Hopefully it makes sense what I'm asking and thanks for your time.
Regards,
Kevin
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
openldap-technical@openldap.org