upgrading kerberos 1.9.4 to 1.13 with LDAP backend

Chris Hecker checker at d6.com
Wed Dec 3 19:20:31 EST 2014

I am going to need to make the exact same update at some point, so a report
back on how it went would be great!

 On Dec 3, 2014 2:28 PM, "Paul B. Henson" <henson at acm.org> wrote:

> We currently have three Kerberos servers running 1.9.4 using the LDAP
> backend and are planning to upgrade to 1.13. Historically we have always
> upgraded servers one at a time, slaves first, then the master, and done the
> upgrade in place with the temporary existence of different versions.
> This is the first upgrade we have done since switching to the LDAP backend.
> We have account lockout enabled (shakes angry fist at ridiculous ISO audit
> checkbox), and our LDAP backend is multi master, so technically even though
> we have a load balancer in front directing kadmin load at any given time to
> only one of the three servers, they are all masters and updating the local
> database simultaneously.
> I see that four new attributes (krbPwdAttributes, krbPwdMaxLife,
> krbPwdMaxRenewableLife, and krbPwdAllowedKeysalts) have been added to the
> krbPwdPolicy object class in the schema. openldap gets quite unhappy if one
> server tries replicating anattribute to another which does not have it
> defined 8-/, so I want to be sure to avoid that scenario.
> I am tentatively thinking of updating the openldap schema on the existing
> systems prior to the update, and then updating Kerberos itself one system
> at
> a time as we have historically done. Does this seem reasonable, and will
> hopefully succeed without any interoperability issues?
> Thanks much for any thoughts or suggestions.
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list