ldap_servers= and failover

Kevin Longfellow klongfel at yahoo.com
Thu Jun 29 10:01:43 EDT 2017

This is for MIT Kerberos with the KDC's using a ldap back end.

>From the documentation, it states that a whitespace-separated list of ldap servers can be specified for ldap_servers=.  I'm assuming that is some type of failover list?  We have a F5 LTM setup with a single load balance dns name for all the ldap servers.  This way we have failover across data centers.  My questions about this are:
1) when does this whitespace-separated list failover?  Is it only at krb5kdc service startup or after the krb5kdc service is started will the krb5kdc process use the whitespace-separated list and attempt to failover if an issue is encountered?
2) since we only have a single load balanced dns name for all the ldap servers, can I simply put this in multiple times and will it retry based on the list?  For example:
ldap_servers = ldaps://f5ltm.domain.com ldaps://f5ltm.domain.com ldaps://f5ltm.domain.com
Hope it's clear what I'm asking.  Basically if I put the same ldap server (ldaps://f5ltm.domain.com) in multiple times will it retry the same ldap server again?  Will it go back to the first after trying the last?
We lost connection to the ldap back end with "LDAP handle unavailable" in the krb5kdc log.  Those that manage the ldap server back end tell me all they want to provide is a single dns name and they manage all the failover.  For the most part it works well but I'm just wondering if listing the same name a few or several times would provide failover and might have avoided the outage?

   - ldap_servers
      - This LDAP-specific tag indicates the list of LDAP servers that theKerberos servers can connect to. The list of LDAP servers iswhitespace-separated. The LDAP server is specified by a LDAP URI.It is recommended to use ldapi: or ldaps: URLs to connectto the LDAP server.   
Thanks, Kevin   

More information about the Kerberos mailing list