upgrading kerberos 1.9.4 to 1.13 with LDAP backend

Paul B. Henson henson at acm.org
Wed Dec 3 17:25:59 EST 2014

We currently have three Kerberos servers running 1.9.4 using the LDAP
backend and are planning to upgrade to 1.13. Historically we have always
upgraded servers one at a time, slaves first, then the master, and done the
upgrade in place with the temporary existence of different versions.

This is the first upgrade we have done since switching to the LDAP backend.
We have account lockout enabled (shakes angry fist at ridiculous ISO audit
checkbox), and our LDAP backend is multi master, so technically even though
we have a load balancer in front directing kadmin load at any given time to
only one of the three servers, they are all masters and updating the local
database simultaneously.

I see that four new attributes (krbPwdAttributes, krbPwdMaxLife,
krbPwdMaxRenewableLife, and krbPwdAllowedKeysalts) have been added to the
krbPwdPolicy object class in the schema. openldap gets quite unhappy if one
server tries replicating anattribute to another which does not have it
defined 8-/, so I want to be sure to avoid that scenario.

I am tentatively thinking of updating the openldap schema on the existing
systems prior to the update, and then updating Kerberos itself one system at
a time as we have historically done. Does this seem reasonable, and will
hopefully succeed without any interoperability issues?

Thanks much for any thoughts or suggestions.

More information about the Kerberos mailing list