Designing mid-sized site

Paul M Fleming pfleming at siumed.edu
Wed Jun 11 16:32:51 EDT 2003


I agree. We run a single realm and a flat LDAP setup. The problem with
using the Novell "context" idea is people are always moving around,
titles/departments change, students became staff or faculty etc.. It is
much easier to carry a single kerberos ID around regardless and just
change LDAP attributes instead of moving a user from one branch of the
tree to another. We've been running a setup like this with 3000 users
for about 5 years and it works / scales very well. We have lots of
remote sites with two main campuses.. We run 3 KDCS, 5 replicated LDAP
servers. 

If your entire organization is under one central management group this
flat structure makes sense (ours is), if you plan on distributing
management to multiple colleges/department then realms & branches might
make sense because administrative delegation issues. For example with
multiple realms in Kerberos you can have different admins in each
realm.. Keep in mind if you use several realms you'll need to setup
inter-realm trust in kerberos. 

My 2 Cents..

Paul

Matthew Smith wrote:
> 
>  From my (perhaps minimal, compared to others in this group) experience,
> I strongly reccommend as few realms as possible, and as "flat" a
> structure as possible, especially in the academic world, to avoid
> political nightmares.
> 
> I am at a medium to large size school, with ~10,000 faculty + staff,
> ~25,000 students, 7 remote campuses, and ~40 remote offices.  We have no
> problems using one realm (multiple KDCs, of course) for all of our
> authentication.
> 
> As well, ALL of our users exist in one ou=people branch of our LDAP
> tree.  This avoided huge political problems (which are ALWAYS more
> difficult to solve than technical problems) resulting from people who
> held multiple roles, such as student/staff, or biology/chemistry vs
> biochemistry.  Trying to make a strict hierarchy can be very very political.
> 
> Hope that helps,
> -Matt
> 
> Lukas Kubin wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > We are in the process of converting our university network from Novell
> > Netware to Kerberos/OpenAFS/OpenLDAP. The network counts about 7000 users.
> > There are 2 geographic locations (schools), both have their own server
> > centers. There is a quite fast connection between those 2 nodes.
> >
> > Since this is the first time for most of us to design such a network using
> > Kerberos, we would like to get some advice here.
> >
> > 1. How many realms should we create? Is UNIV.ORG enough or shall we create
> > one for each school or department? Say, UNIV.ORG and SCHOOL1.UNIV.ORG and
> > SCHOOL2.UNIV.ORG.
> >
> > 2. How should we create user accounts to distinguish students, employees
> > for each school, similarly to the Novell's "context" concept? At the same
> > time we need everybody to be able to log-in in any computer throughout the
> > university network without much effort.
> >
> > Thank you.
> >
> > lukas
> >
> > - --
> > Lukas Kubin
> >
> > phone: +420596398285
> > email: kubin at opf.slu.cz
> >
> > Information centre
> > The School of Business Administration in Karvina
> > Silesian University in Opava
> > Czech Republic
> > http://www.opf.slu.cz
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.1 (GNU/Linux)
> > Comment: Made with pgp4pine 1.75-6
> >
> > iD8DBQE+51SuhukdIiZrwu4RAoYoAJ9qxOh7C9Tw3fxpUz3ZbPpULoB9UgCghXzc
> > aCx98hoJz4SQ0IBD+2M23oY=
> > =PSRn
> > -----END PGP SIGNATURE-----
> >
> >
> >
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos


More information about the Kerberos mailing list