MIT Incremental Propagation

John Hascall john at iastate.edu
Fri Sep 21 17:46:40 EDT 2007


> Yes, that's exactly right.  At least, in theory; I haven't tried it.   
> Using the LDAP back end -- ah, as I see Nico was just saying -- will  
> get you a common database shared across the KDCs, and leaves the  
> replication mechanism, if any, to the LDAP administrator.
> 
> Building something on Ubik might be a possibility.  I'm not that  
> familiar with it beyond "oh, that thing in AFS", but if it meets the  
> performance requirements for a KDC, yes, it could work.

Well, ubik wouldn't exactly be my first choice, I just threw it
out as a possibly-known technology in the KDC replication protocol space.

Ubik is an elected-master protocol.  All updates go to the master
which replicates.  If the master goes away, after a while the
remaining nodes notice and revote a new master (this can take a while).

I'm not sure that model works well with the KDC's single-threadedness.

I expect a 3-phase commit model would be more robust.

John



More information about the Kerberos mailing list