Many Kerberos/LDAP systems have redundant Kerberos/LDAP
servers to provide load balancing and high availability. Typically,
there will be one DNS entry that will resolve to each of the Kerberos/LDAP
servers. For example, example.com may resolve
to dc1.example.com and dc2.example.com. If the client fails to connect to the first entry, it will fail
over to the next one. There are a few extra steps necessary to configure
master-slave fail-over in Niagara.
- In the Kerberos Authentication Scheme, set your connection
URL to one that will resolve to each of your LDAP servers (ldap://example.com in our example above).
- Set the Connection Timeout property to a reasonable time
for your scenario.
- Set the Key Distribution Center to a hostname that will
resolve to each of your key distribution centers (e.g. asexample.com in our example above).
- Open the Basic Krb5 Conf Editor view on the Kerberos Authentication
Scheme.
- Select and enter values for the Kdc Timeout and Kdc Max
Retries properties.
- For any Workbench client that will authenticate to the station
with Kerberos, navigate to and
set the Kdc Timeout and Kdc Max Retries properties to the same values
that you configured for the station, and set the Forwardable property
to true.
