The Novell Kerberos KDC uses LDAP to access eDirectory. This means that whenever the eDirectory or LDAP services are down or are restarted for maintenance purposes, the Novell Kerberos KDC services are affected. Additionally, the Novell Kerberos KDC services need to be restarted manually whenever the eDirectory or LDAP services are restored.
The Novell Kerberos KDC provides a mechanism to overcome this problem. It establishes LDAP connections with multiple LDAP servers. If any of the servers are not responding, the LDAP connections with the other servers are utilized. If all the LDAP servers are down, the Novell Kerberos KDC services do not abort, but handle the requests appropriately by returning an error. The LDAP module attempts to reconnect with all the LDAP servers until it gets a connection.
The list of LDAP servers can be set in the /etc/krb5.conf file.
The Novell Kerberos KDC services read the database-specific parameters from the /etc/krb5.conf configuration file, or you can provide these parameters at the command line. Using the command line helps you avoid frequent modification of the configuration file, and you can modify the options even without Write permissions for the configuration file. Additionally, many server requests with different parameter values on a single machine are also possible.
You can use any of the following methods to set up the LDAP servers:
The list of the LDAP servers that the Novell Kerberos KDC server tries to connect is defined by the ldap_servers parameter in the /etc/krb5.conf file.
Configuration File
Use the ldap_servers parameter in the /etc/krb5.conf file as follows:
ldap_servers = ldaps://ldap-server1.mit.edu ldaps://ldap-server2.mit.edu:1636
Command Line
Use the following command line option to set the list of LDAP servers that the Kerberos service (KDC, Administration, and Password) should connect to.
-x host=ldaps://hostname:port
If you have specified multiple LDAP servers, you must configure Kerberos LDAP extensions on all the LDAP servers. The Password Agent needs to be configured only on a single LDAP server, which has a writeable replica.