Kerberos-LDAP infrastructure

[Thomas Boutry]

Hi,

 

We'd like to deploy Kerberos it on our network. We already have a
working Kerberos setup in our Lab which has a Master Kerberos server
with an OpenLDAP backend and a Slave Kerberos server which also uses an
OpenLDAP backend. 

 

Before we go live into production, we're looking for information on how
to build the Kerberos infrastrucure (i.e. In which network DMZ do I
install the KDC? Where should we install the slave Kerberos servers? Can
we run a "hidden" KDC, much like a hidden Primary DNS server? How would
that affect users who want to change their passwords? etc).

 

Unfortunately, we didn't find a lot of documentation which talks
specifically about Kerberos architecture. That's why we're looking for
experienced Kerberos users to help us deploy a good Kerberos
infrastructure.

 

Our goals are to create a Hidden Master Kerberos and several Slaves. We
plan to use the Kerberos/OpenLDAP services for authentication via SSH,
OpenAFS, autofs maps, sudo rights plus users and groups. The Kerberos
architecture has to support two different data centers. Both sites have
serveral DMZ networks (WWW, Application and Database for the classic
three tiered environment plus le local LAN). We'd like to use Kerberos
to login on all of these networks. One slave in the LAN to support
workstations and LAN servers. Other two slaves in a DMZ (which one?) for
DMZ Servers support and as Workstation backup support. We need to have
redundancy of course.

 

I've created an image of the architecture I just described which you can
see at http://www.zerocatastrophe.com/kerberos-architecture.png This
architecture is by no means final. Suggestions are welcomed!

 

Please let me know what you think? I will post a summary once the
architecture is final.

 

Many thanks,

 

---

Thomas Boutry

UNIX systems administrator