upgrading kerberos 1.9.4 to 1.13 with LDAP backend

[Paul B. Henson]

We are ready to schedule this update, so I thought I'd try just one more
time to see if there were any other thoughts on this plan or any known
issues that might occur that would be problematic.

Thanks much.

> -----Original Message-----
> From: Paul Henson [mailto:paul.b.henson at gmail.com] On Behalf Of Paul B.
> Henson
> Sent: Wednesday, December 03, 2014 2:26 PM
> To: kerberos at mit.edu
> Subject: upgrading kerberos 1.9.4 to 1.13 with LDAP backend
> 
> We currently have three Kerberos servers running 1.9.4 using the LDAP
> backend and are planning to upgrade to 1.13. Historically we have always
> upgraded servers one at a time, slaves first, then the master, and done
the
> upgrade in place with the temporary existence of different versions.
> 
> This is the first upgrade we have done since switching to the LDAP
backend.
> We have account lockout enabled (shakes angry fist at ridiculous ISO audit
> checkbox), and our LDAP backend is multi master, so technically even
though
> we have a load balancer in front directing kadmin load at any given time
to
> only one of the three servers, they are all masters and updating the local
> database simultaneously.
> 
> I see that four new attributes (krbPwdAttributes, krbPwdMaxLife,
> krbPwdMaxRenewableLife, and krbPwdAllowedKeysalts) have been added to
> the
> krbPwdPolicy object class in the schema. openldap gets quite unhappy if
one
> server tries replicating anattribute to another which does not have it
> defined 8-/, so I want to be sure to avoid that scenario.
> 
> I am tentatively thinking of updating the openldap schema on the existing
> systems prior to the update, and then updating Kerberos itself one system
at
> a time as we have historically done. Does this seem reasonable, and will
> hopefully succeed without any interoperability issues?
> 
> Thanks much for any thoughts or suggestions.