Novell® Kerberos KDC uses LDAP to access eDirectoryTM. This means that whenever the eDirectory or LDAP services are down or are restarted for maintenance purpose, the Novell Kerberos KDC services get affected. Additionally, the Novell Kerberos KDC services need to be restarted manually whenever the eDirectory or LDAP services are restored.
Novell Kerberos KDC provides a mechanism to overcome this problem as follows:
If any of the server is not responding, the LDAP connections with the other servers are utilized. This means that if all the LDAP servers are down, the Novell Kerberos KDC services will not abort, but will handle the requests appropriately, by returning an error. Whenever any of the LDAP server is restored, the LDAP module attempts to reconnect with all the LDAP servers until it gets a connection.
As multiple LDAP connections are cached for every LDAP server, multiple requests from the Novell Kerberos KDC services are serviced simultaneously.
The list of LDAP servers and number of connections per server can be set in /etc/krb5.conf file.
To configure LDAP connection, you need to set the following:
Novell Kerberos KDC services read the database-specific parameters from the /etc/krb5.conf configuration file. You can provide these parameters at the command line too. This helps the administrator to avoid frequent modification of the configuration file and to modify the options even without write permissions on the configuration file. Additionally, many server requests with different parameter values on a single machine are also possible.
You can set up the LDAP servers using any of the following methods:
The list of the LDAP servers that the Novell Kerberos KDC server tries to connect is defined by the ldap_servers parameter in the /etc/krb5.conf file.
Use the ldap_servers parameter in the /etc/krb5.conf file as follows:
ldap_servers = ldap-server1.mit.edu ldap-server2.mit.edu:1636
Use the following command line option to set the list of LDAP servers that the Kerberos service (KDC, Administration, and Password) should connect to.
-x host=hostname:port
If a Kerberos Service, such as KDC, consumes the Database service from multiple LDAP servers then the attribute ldap_conns_per_server in the /etc/krb5.conf is set to an optimum value so that the database operation load is distributed to multiple servers.
Multiple secure (SSL) connections can be established with every LDAP server on need basis.
You can set up the number of LDAP connections per server using any of the following methods:
Use the ldap_conns_per_server parameter in the /etc/krb5.conf file as follows:
ldap_conns_per_server = 5
Use the following command line option to limit the number of LDAP connections that the Kerberos service (KDC, Administration, and Password) should use:
-x nconns=value