upgrading kerberos 1.9.4 to 1.13 with LDAP backend

Paul B. Henson henson at acm.org
Wed Dec 3 21:40:54 EST 2014

> From: Todd Grayson
> Sent: Wednesday, December 03, 2014 3:07 PM
> From a pure LDAP perspective;  You should be able to update schema in an
> unobtrusive way as long as none of the attributes are "mandatory" for the
> objectClass.

All of the new attributes are optional, so no problem there.

> As far as the rest of the plan - I've not performed this migration so there
> might be folks who have that have wisdom to share (but it looks sound to
> me).  Obviously have a clean back-out plan...

It seems in the worst case (one would hope) the updated server will start populating LDAP with these attributes, and the others would ignore them until they are also updated. It looks like they are all password policy related; interestingly, comparing the add_policy section in the kadmin man page between my current version and the newer version, there don't appear to be any changes? So perhaps these new LDAP attributes aren't even in use yet?

We have good backups, although it would suck to have to use them <sigh>.


More information about the Kerberos mailing list