Hi List,
We are operating an LDAP Directory that does authentication using Kerberos.
The directory is Sun One 5.2 Update 6 and the Kerberos plugin we us is:
libkrbdirp.so (http://people.duke.edu/~rob/krbdirp/):
ldd libkrbdirp.so
libnsl.so.1 => /lib/64/libnsl.so.1
libresolv.so.2 => /lib/64/libresolv.so.2
libc.so.1 => /lib/64/libc.so.1
libsocket.so.1 => /lib/64/libsocket.so.1
libgen.so.1 => /lib/64/libgen.so.1
libpthread.so.1 => /lib/64/libpthread.so.1
libmp.so.2 => /lib/64/libmp.so.2
libmd.so.1 => /lib/64/libmd.so.1
libscf.so.1 => /lib/64/libscf.so.1
libdoor.so.1 => /lib/64/libdoor.so.1
libuutil.so.1 => /lib/64/libuutil.so.1
libm.so.2 => /lib/64/libm.so.2
/lib/sparcv9/../libm/sparcv9/libm_hwcap1.so.2
/platform/SUNW,SPARC-Enterprise/lib/sparcv9/libc_psr.so.1
Problem we have is, that in case an Active Directory server from the list
`nslookup -query=srv _kerberos._tcp.example.com` is not reach-able, the
directory server is failing due to the Kerberos plugin that still tries to use
the faulty Active Directory Server.
- As for Security reason, we are forced to use TCP for Kerberos traffic
My question is, how can I change the behavior of Kerberos to skip the faulty
Active Directory server until it comes back online again.
Is there any chance to implement a failover? Or maybe decrease connectivity
timeout or something like that?
Please note, that in basic, Kerberos is still working in the above case - but
the directory is serving about 150K of users and due to the amount of
concurrent connections the Directory server is failing and becomes unavailable.
So if somebody has an idea, please do not hesitate to contact me! I appreciate
everything.
Thanks and all the best,
Si
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos