primary/secondary config question

edward@murrell.co.nz edward at murrell.co.nz
Thu Dec 13 00:01:37 EST 2007


I haven't used LDAP for storing data, but since Kerberos doesn't hold any
state, this shouldn't be a problem, providing you have your replication
set up properly. If you are using a single master LDAP, you should be able
to tell the kadmind-running KDC to refer to the master LDAP to write it's
changes to, or if you can, use multi-master replication - although that
could have 'odd' effects if a client updates it's password on one KDC,
then uses the same password on another before the changes are pushed out.

> Would there be any problems having both kdcs modifying
> the database?
>
> thanks
>
> Steve
>
> --- edward at murrell.co.nz wrote:
>
>> Extra complexity for no benefit?
>>
>> The load on the LDAP server is likely to be higher
>> than the load on the
>> KDC, so spreading the load of the KDC's isn't going
>> to change anything
>> unless your one of your KDC's is really really slow.
>> If you want
>> redundancy, I would maybe consider making slave
>> replicas of the LDAP
>> database on the KDC machines, and pointing the KDCs
>> at the local replica,
>> followed by the other two.
>>
>> Edward
>>
>> > Could someone review this setup, and provide some
>> > feedback?
>> >
>> > I am using an ldap backend, with a primary and
>> > secondary kdc pointing to the same ldap server
>> (only
>> > the primary runs kadmind).Both the primary and the
>> > secondary can affect the database. I'm wondering
>> if
>> > there are any reasons why I wouldn't want to do
>> this
>> > is a production environment.
>> >
>> > Thanks in advance!
>> >
>> > Steve
>> >
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
>
>       ____________________________________________________________________________________
> Never miss a thing.  Make Yahoo your home page.
> http://www.yahoo.com/r/hs
>




More information about the Kerberos mailing list