multiple kdc masters with resilient LDAP backend

Ken Raeburn raeburn at MIT.EDU
Tue Feb 2 08:25:44 EST 2010


On Feb 2, 2010, at 07:35, rhod davies wrote:
> I understand that we can run multiple KDCs in an autonomous way, but
> sharing the same data store (in LDAP), this is good, and what I want
> to have - i.e. a resilient KDC service.  We can misplace a data
> centre, but still offer a KDC service as LDAP has made sure that the
> data is replicated around the globe.

You can also run multiple KDCs with replicated data without LDAP; the data just needs to be replicated from one master KDC to the others, and MIT ships code to do that, all at once or incrementally.  If the master KDC should go offline, the others should have the necessary data for one to be (manually) promoted to be the new master.  It is still a one-master-at-a-time setup, though.

Just making sure you don't think LDAP is the only way to run multiple KDCs for a realm....

Ken


-- 
Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium





More information about the Kerberos mailing list