Designing mid-sized site
matt at forsetti.com
Thu Jun 12 09:46:11 EDT 2003
Good point -- in my experience too, realms + LDAP branches should not
be used to represent the structure of your organization, but rather just
for delegation of administration.
Paul M Fleming wrote:
> I agree. We run a single realm and a flat LDAP setup. The problem with
> using the Novell "context" idea is people are always moving around,
> titles/departments change, students became staff or faculty etc.. It is
> much easier to carry a single kerberos ID around regardless and just
> change LDAP attributes instead of moving a user from one branch of the
> tree to another. We've been running a setup like this with 3000 users
> for about 5 years and it works / scales very well. We have lots of
> remote sites with two main campuses.. We run 3 KDCS, 5 replicated LDAP
> If your entire organization is under one central management group this
> flat structure makes sense (ours is), if you plan on distributing
> management to multiple colleges/department then realms & branches might
> make sense because administrative delegation issues. For example with
> multiple realms in Kerberos you can have different admins in each
> realm.. Keep in mind if you use several realms you'll need to setup
> inter-realm trust in kerberos.
> My 2 Cents..
> Matthew Smith wrote:
>> From my (perhaps minimal, compared to others in this group) experience,
>>I strongly reccommend as few realms as possible, and as "flat" a
>>structure as possible, especially in the academic world, to avoid
>>I am at a medium to large size school, with ~10,000 faculty + staff,
>>~25,000 students, 7 remote campuses, and ~40 remote offices. We have no
>>problems using one realm (multiple KDCs, of course) for all of our
>>As well, ALL of our users exist in one ou=people branch of our LDAP
>>tree. This avoided huge political problems (which are ALWAYS more
>>difficult to solve than technical problems) resulting from people who
>>held multiple roles, such as student/staff, or biology/chemistry vs
>>biochemistry. Trying to make a strict hierarchy can be very very political.
>>Hope that helps,
>>Lukas Kubin wrote:
>>>-----BEGIN PGP SIGNED MESSAGE-----
>>>We are in the process of converting our university network from Novell
>>>Netware to Kerberos/OpenAFS/OpenLDAP. The network counts about 7000 users.
>>>There are 2 geographic locations (schools), both have their own server
>>>centers. There is a quite fast connection between those 2 nodes.
>>>Since this is the first time for most of us to design such a network using
>>>Kerberos, we would like to get some advice here.
>>>1. How many realms should we create? Is UNIV.ORG enough or shall we create
>>>one for each school or department? Say, UNIV.ORG and SCHOOL1.UNIV.ORG and
>>>2. How should we create user accounts to distinguish students, employees
>>>for each school, similarly to the Novell's "context" concept? At the same
>>>time we need everybody to be able to log-in in any computer throughout the
>>>university network without much effort.
>>>email: kubin at opf.slu.cz
>>>The School of Business Administration in Karvina
>>>Silesian University in Opava
>>>-----BEGIN PGP SIGNATURE-----
>>>Version: GnuPG v1.2.1 (GNU/Linux)
>>>Comment: Made with pgp4pine 1.75-6
>>>-----END PGP SIGNATURE-----
>>>Kerberos mailing list Kerberos at mit.edu
>>Kerberos mailing list Kerberos at mit.edu
> Kerberos mailing list Kerberos at mit.edu
More information about the Kerberos