MIT Incremental Propagation
John Hascall
john at iastate.edu
Fri Sep 21 17:46:40 EDT 2007
> Yes, that's exactly right. At least, in theory; I haven't tried it.
> Using the LDAP back end -- ah, as I see Nico was just saying -- will
> get you a common database shared across the KDCs, and leaves the
> replication mechanism, if any, to the LDAP administrator.
>
> Building something on Ubik might be a possibility. I'm not that
> familiar with it beyond "oh, that thing in AFS", but if it meets the
> performance requirements for a KDC, yes, it could work.
Well, ubik wouldn't exactly be my first choice, I just threw it
out as a possibly-known technology in the KDC replication protocol space.
Ubik is an elected-master protocol. All updates go to the master
which replicates. If the master goes away, after a while the
remaining nodes notice and revote a new master (this can take a while).
I'm not sure that model works well with the KDC's single-threadedness.
I expect a 3-phase commit model would be more robust.
John
More information about the Kerberos
mailing list