MIT Incremental Propagation
Donn Cave
donn at u.washington.edu
Fri Sep 21 19:52:11 EDT 2007
In article <mailman.93.1190407856.2905.kerberos at mit.edu>,
"Kevin Coffman" <kwc at citi.umich.edu> wrote:
> On 9/21/07, Jeffrey Altman <jaltman at secure-endpoints.com> wrote:
> > John Harris wrote:
> > > Greetings,
> > >
> > > Does MIT's current implementation of the Kerberos KDC include
> > > incremental propagation? I know it didn't a long time ago, then there
> > > were CITI patches for it, then those didn't work for awhile. I don't
> > > seem to be able to pinpoint an answer to it.
> > >
> > > Thanks,
> > >
> > > John
> > There is no incremental propagation distributed with MIT Kerberos.
> >
> > Jeffrey Altman
>
> Our patch hasn't been ported forward to release 1.5 and beyond yet.
> With the new plugable database interface, changes are necessary. We
> haven't had the time to get to it yet.
We haven't taken ours to a recent release level yet either, but
for other reasons. It would be interesting, if academic, to see
if our approach would work with 1.6 without changes. I think it
would - it's quite trivial, we just siphon off data (who, what)
from every change kadmind makes, and some other local software
takes it and applies to peer KDCs. One or more of which are
Microsoft domain controllers (but only the MIT KDCs can propagate
changes.) We've been doing this for ca 8 years.
As for an LDAP solution, we've talked about this here before
(cf. "LDAP KDB".) If you need an LDAP backend for some other
reason, that's one thing, but just for replication, I don't
think so.
Donn Cave, donn at u.washington.edu
More information about the Kerberos
mailing list