Kerberos master/master sync using OpenLDAP N-Way Multi-Master
Mathew Rowley
mathew_rowley at cable.comcast.com
Wed Mar 11 19:13:33 EDT 2009
I haven¹t seen this idea posted anywhere. The new version of OpenLDAP (I¹m
using 2.4.15) has the ability to run in a multi-master mode. I was able to
set up two servers that each ran a Kerberos instance as well as an OpenLDAP
instance that had ldap and kerberos failover. I now don¹t need to worry
about doing any sync with Kerberos, as LDAP does it all. I can also run
kadmin against either of the kerberos servers. Some tests I did that were
pretty successful were:
Realm setup:
kdc = kdc01.security.lab.comcast.net:88
kdc = kdc02.security.lab.comcast.net:88
Turn off kdc on kdc01 -> successfully authenticated with kdc02
Turn on kdc but turn off ldap on kdc01 -> successfully authenticated with
kdc02
The failover works exactly as a expected.
--
MAT
More information about the Kerberos
mailing list