multiple kdc masters with resilient LDAP backend
rhod davies
nomrhod at googlemail.com
Tue Feb 2 09:23:00 EST 2010
On Tuesday, February 2, 2010, Ken Raeburn <raeburn at mit.edu> wrote:
> You can also run multiple KDCs with replicated data without LDAP; the data just needs to be replicated from one master KDC to the others, and MIT ships code to do that, all at once or incrementally. If the master KDC should go offline, the others should have the necessary data for one to be (manually) promoted to be the new master. It is still a one-master-at-a-time setup, though.
>
> Just making sure you don't think LDAP is the only way to run multiple KDCs for a realm....
Yes, I get that, thanks.
It's that we have a new clean slate to begin with, and want to be as
resilient as possible from the start. The benefit of having a
multi-master (ldap backed) configuration would be no need to promote a
slave to replace a failing master, and also letting ldap take the
replication load. Just want to be sure that nothing's going to byte
us.
Cheers
--
Rhod
More information about the Kerberos
mailing list