Designing mid-sized site

Matthew Smith matt at
Thu Jun 12 09:46:11 EDT 2003

Paul --
   Good point -- in my experience too, realms + LDAP branches should not 
be used to represent the structure of your organization, but rather just 
for delegation of administration.

Paul M Fleming wrote:
> I agree. We run a single realm and a flat LDAP setup. The problem with
> using the Novell "context" idea is people are always moving around,
> titles/departments change, students became staff or faculty etc.. It is
> much easier to carry a single kerberos ID around regardless and just
> change LDAP attributes instead of moving a user from one branch of the
> tree to another. We've been running a setup like this with 3000 users
> for about 5 years and it works / scales very well. We have lots of
> remote sites with two main campuses.. We run 3 KDCS, 5 replicated LDAP
> servers. 
> If your entire organization is under one central management group this
> flat structure makes sense (ours is), if you plan on distributing
> management to multiple colleges/department then realms & branches might
> make sense because administrative delegation issues. For example with
> multiple realms in Kerberos you can have different admins in each
> realm.. Keep in mind if you use several realms you'll need to setup
> inter-realm trust in kerberos. 
> My 2 Cents..
> Paul
> Matthew Smith wrote:
>> From my (perhaps minimal, compared to others in this group) experience,
>>I strongly reccommend as few realms as possible, and as "flat" a
>>structure as possible, especially in the academic world, to avoid
>>political nightmares.
>>I am at a medium to large size school, with ~10,000 faculty + staff,
>>~25,000 students, 7 remote campuses, and ~40 remote offices.  We have no
>>problems using one realm (multiple KDCs, of course) for all of our
>>As well, ALL of our users exist in one ou=people branch of our LDAP
>>tree.  This avoided huge political problems (which are ALWAYS more
>>difficult to solve than technical problems) resulting from people who
>>held multiple roles, such as student/staff, or biology/chemistry vs
>>biochemistry.  Trying to make a strict hierarchy can be very very political.
>>Hope that helps,
>>Lukas Kubin wrote:
>>>Hash: SHA1
>>>We are in the process of converting our university network from Novell
>>>Netware to Kerberos/OpenAFS/OpenLDAP. The network counts about 7000 users.
>>>There are 2 geographic locations (schools), both have their own server
>>>centers. There is a quite fast connection between those 2 nodes.
>>>Since this is the first time for most of us to design such a network using
>>>Kerberos, we would like to get some advice here.
>>>1. How many realms should we create? Is UNIV.ORG enough or shall we create
>>>one for each school or department? Say, UNIV.ORG and SCHOOL1.UNIV.ORG and
>>>2. How should we create user accounts to distinguish students, employees
>>>for each school, similarly to the Novell's "context" concept? At the same
>>>time we need everybody to be able to log-in in any computer throughout the
>>>university network without much effort.
>>>Thank you.
>>>- --
>>>Lukas Kubin
>>>phone: +420596398285
>>>email: kubin at
>>>Information centre
>>>The School of Business Administration in Karvina
>>>Silesian University in Opava
>>>Czech Republic
>>>Version: GnuPG v1.2.1 (GNU/Linux)
>>>Comment: Made with pgp4pine 1.75-6
>>>-----END PGP SIGNATURE-----
>>>Kerberos mailing list           Kerberos at
>>Kerberos mailing list           Kerberos at
> ________________________________________________
> Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list