[36656] in Kerberos
Re: upgrading kerberos 1.9.4 to 1.13 with LDAP backend
daemon@ATHENA.MIT.EDU (Chris Hecker)
Wed Dec 3 19:20:41 2014
MIME-Version: 1.0
In-Reply-To: <38ac01d00f48$20570460$61050d20$@acm.org>
Date: Wed, 3 Dec 2014 16:20:31 -0800
Message-ID: <CAOdMLc21QLW7hv4PbZMvRwOpt-9poheqwB67TFrY3ZRKp0FWvw@mail.gmail.com>
From: Chris Hecker <checker@d6.com>
To: "Paul B. Henson" <henson@acm.org>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I am going to need to make the exact same update at some point, so a report
back on how it went would be great!
Thanks,
Chris
On Dec 3, 2014 2:28 PM, "Paul B. Henson" <henson@acm.org> wrote:
> We currently have three Kerberos servers running 1.9.4 using the LDAP
> backend and are planning to upgrade to 1.13. Historically we have always
> upgraded servers one at a time, slaves first, then the master, and done the
> upgrade in place with the temporary existence of different versions.
>
> This is the first upgrade we have done since switching to the LDAP backend.
> We have account lockout enabled (shakes angry fist at ridiculous ISO audit
> checkbox), and our LDAP backend is multi master, so technically even though
> we have a load balancer in front directing kadmin load at any given time to
> only one of the three servers, they are all masters and updating the local
> database simultaneously.
>
> I see that four new attributes (krbPwdAttributes, krbPwdMaxLife,
> krbPwdMaxRenewableLife, and krbPwdAllowedKeysalts) have been added to the
> krbPwdPolicy object class in the schema. openldap gets quite unhappy if one
> server tries replicating anattribute to another which does not have it
> defined 8-/, so I want to be sure to avoid that scenario.
>
> I am tentatively thinking of updating the openldap schema on the existing
> systems prior to the update, and then updating Kerberos itself one system
> at
> a time as we have historically done. Does this seem reasonable, and will
> hopefully succeed without any interoperability issues?
>
> Thanks much for any thoughts or suggestions.
>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
