multiple kdc masters with resilient LDAP backend

rhod davies nomrhod at googlemail.com
Tue Feb 2 07:35:53 EST 2010


Hi,

I've been reading through the mail archives, and doing the obligatory
google search, but seem to be hitting a brick wall on trying to get a
better understanding of something that should be trivial to get a
handle on (I think).

MIT Kerberos 1.7 configured with a KLDAP backend to a multi-master
resilient LDAP
service; single realm.

I understand that we can run multiple KDCs in an autonomous way, but
sharing the same data store (in LDAP), this is good, and what I want
to have - i.e. a resilient KDC service.  We can misplace a data
centre, but still offer a KDC service as LDAP has made sure that the
data is replicated around the globe.

There are references to individual/groups who have done this, and all
looks well.  However what are the pitfalls with this approach?
Specifiaclly:

- Is any local state held by the krb5kdc process that would cause
issues down the line?

- Ar there any issues with running multiple master (same backing store
- LDAP) for the same realm?

In a similar vein can kadmind be made resilient in the same manner
(all documents I've seen so far are catagorical that only one kadmind
service should be running).

Many Thanks.

-- 
Rhod




More information about the Kerberos mailing list