kerberos password change in master-slave environ
John Hascall
john at iastate.edu
Wed Mar 24 17:40:09 EST 2004
> That's very impressive and it gives me a lot of hope that our
> proof-of-concept will be successful! I'm very glad to hear this. What kind
> of usage do you see on this? Do you use MIT or Heimdal?
We are running MIT's with our own incremental replication code
(we replicate to the slave, our W2K-AD, and our Novell NDS).
Basically, we put 5 little hooks in the kadmin libs that
write 'transaction log records' into a directory. Everything
else is done with external programs and scripts. I've posted
more details which should be in the list archives someplace.
John
> -----Original Message-----
> From: John Hascall
> To: Digant Kasundra
> Cc: Kerberos List
> Sent: 3/24/2004 2:57 PM
> Subject: Re: kerberos password change in master-slave environ
>
>
>
> > >I'm not saying multi-master isn't desirable, but for the average
> realm,
> > >you
> > >can live without it. For a larger realm, (in the tens of thousands
> of
> > >principals) having incremental propagation probably takes care of the
> > >issues you have with DB propagation.
>
> > Our realm has 43,000+ principals so for us, its a big deal. :) We
> have
> > slaves not only for redundancy, but also for load balancing. We don't
> want
> > all the users on our campus authenticating or changing passwords
> against
> > just one machine.
>
> I'll see your 43,000 principals and raise you about 15,000 more :)
>
> We use a single master incrementally updating a single offsite slave
> (both PCs running NetBSD) and we see no performance problems at all.
>
> John
>
More information about the Kerberos
mailing list