failover when Active Directory server is not available
Simon Reber
Simon.Reber at lcsystems.ch
Thu Jun 20 10:15:58 EDT 2013
Hi List,
We are operating an LDAP Directory that does authentication using Kerberos.
The directory is Sun One 5.2 Update 6 and the Kerberos plugin we us is: libkrbdirp.so (http://people.duke.edu/~rob/krbdirp/):
ldd libkrbdirp.so
libnsl.so.1 => /lib/64/libnsl.so.1
libresolv.so.2 => /lib/64/libresolv.so.2
libc.so.1 => /lib/64/libc.so.1
libsocket.so.1 => /lib/64/libsocket.so.1
libgen.so.1 => /lib/64/libgen.so.1
libpthread.so.1 => /lib/64/libpthread.so.1
libmp.so.2 => /lib/64/libmp.so.2
libmd.so.1 => /lib/64/libmd.so.1
libscf.so.1 => /lib/64/libscf.so.1
libdoor.so.1 => /lib/64/libdoor.so.1
libuutil.so.1 => /lib/64/libuutil.so.1
libm.so.2 => /lib/64/libm.so.2
/lib/sparcv9/../libm/sparcv9/libm_hwcap1.so.2
/platform/SUNW,SPARC-Enterprise/lib/sparcv9/libc_psr.so.1
Problem we have is, that in case an Active Directory server from the list `nslookup -query=srv _kerberos._tcp.example.com` is not reach-able, the directory server is failing due to the Kerberos plugin that still tries to use the faulty Active Directory Server.
- As for Security reason, we are forced to use TCP for Kerberos traffic
My question is, how can I change the behavior of Kerberos to skip the faulty Active Directory server until it comes back online again.
Is there any chance to implement a failover? Or maybe decrease connectivity timeout or something like that?
Please note, that in basic, Kerberos is still working in the above case - but the directory is serving about 150K of users and due to the amount of concurrent connections the Directory server is failing and becomes unavailable.
So if somebody has an idea, please do not hesitate to contact me! I appreciate everything.
Thanks and all the best,
Si
More information about the Kerberos
mailing list