multiple kdc masters with resilient LDAP backend
rhod davies
nomrhod at googlemail.com
Tue Feb 2 07:35:53 EST 2010
Hi,
I've been reading through the mail archives, and doing the obligatory
google search, but seem to be hitting a brick wall on trying to get a
better understanding of something that should be trivial to get a
handle on (I think).
MIT Kerberos 1.7 configured with a KLDAP backend to a multi-master
resilient LDAP
service; single realm.
I understand that we can run multiple KDCs in an autonomous way, but
sharing the same data store (in LDAP), this is good, and what I want
to have - i.e. a resilient KDC service. We can misplace a data
centre, but still offer a KDC service as LDAP has made sure that the
data is replicated around the globe.
There are references to individual/groups who have done this, and all
looks well. However what are the pitfalls with this approach?
Specifiaclly:
- Is any local state held by the krb5kdc process that would cause
issues down the line?
- Ar there any issues with running multiple master (same backing store
- LDAP) for the same realm?
In a similar vein can kadmind be made resilient in the same manner
(all documents I've seen so far are catagorical that only one kadmind
service should be running).
Many Thanks.
--
Rhod
More information about the Kerberos
mailing list