issue with MIT KDC and LDAP DS

Will Fiveash William.Fiveash at Sun.COM
Fri May 22 16:57:58 EDT 2009

I'm looking for input regarding my changing the following behavior of
the krb5kdc and kadmind.  Currently, when a KDC is configured to use the
LDAP KDB plugin and krbr5kdc is started prior to the DS being on-line,
the krb5kdc exits immediately with an error.  I want to change this
behavior so krb5kdc (and kadmind) stays up even when the DS is off-line.
The idea is that LDAP bind errors such as LDAP_SERVER_DOWN and
LDAP_CONNECT_ERROR would be treated as non-fatal in
krb5_ldap_initialize().  krb5kdc would daemonize itself as it normally
does but if there were no DS server connections up would try to bind
with a DS when it receives krb requests.  If it is unable to bind it
would send an error response to the *_REQ requester and wait for the
next request whereupon it would try to bind again.

The kadmind would behave similarly, sending back errors until it was
able to bind to the DS.


Will Fiveash
Sun Microsystems Inc.

More information about the krbdev mailing list