Designing mid-sized site

Matthew Smith matt at
Wed Jun 11 16:01:46 EDT 2003

 From my (perhaps minimal, compared to others in this group) experience, 
I strongly reccommend as few realms as possible, and as "flat" a 
structure as possible, especially in the academic world, to avoid 
political nightmares.

I am at a medium to large size school, with ~10,000 faculty + staff, 
~25,000 students, 7 remote campuses, and ~40 remote offices.  We have no 
problems using one realm (multiple KDCs, of course) for all of our 

As well, ALL of our users exist in one ou=people branch of our LDAP 
tree.  This avoided huge political problems (which are ALWAYS more 
difficult to solve than technical problems) resulting from people who 
held multiple roles, such as student/staff, or biology/chemistry vs 
biochemistry.  Trying to make a strict hierarchy can be very very political.

Hope that helps,

Lukas Kubin wrote:
> Hash: SHA1
> We are in the process of converting our university network from Novell
> Netware to Kerberos/OpenAFS/OpenLDAP. The network counts about 7000 users.
> There are 2 geographic locations (schools), both have their own server
> centers. There is a quite fast connection between those 2 nodes.
> Since this is the first time for most of us to design such a network using
> Kerberos, we would like to get some advice here.
> 1. How many realms should we create? Is UNIV.ORG enough or shall we create
> one for each school or department? Say, UNIV.ORG and SCHOOL1.UNIV.ORG and
> 2. How should we create user accounts to distinguish students, employees
> for each school, similarly to the Novell's "context" concept? At the same
> time we need everybody to be able to log-in in any computer throughout the
> university network without much effort.
> Thank you.
> lukas
> - -- 
> Lukas Kubin
> phone: +420596398285
> email: kubin at
> Information centre
> The School of Business Administration in Karvina
> Silesian University in Opava
> Czech Republic
> Version: GnuPG v1.2.1 (GNU/Linux)
> Comment: Made with pgp4pine 1.75-6
> iD8DBQE+51SuhukdIiZrwu4RAoYoAJ9qxOh7C9Tw3fxpUz3ZbPpULoB9UgCghXzc
> aCx98hoJz4SQ0IBD+2M23oY=
> =PSRn
> ________________________________________________
> Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list