multiple kdc masters with resilient LDAP backend

rhod davies nomrhod at googlemail.com
Tue Feb 2 09:23:00 EST 2010


On Tuesday, February 2, 2010, Ken Raeburn <raeburn at mit.edu> wrote:
> You can also run multiple KDCs with replicated data without LDAP; the data just needs to be replicated from one master KDC to the others, and MIT ships code to do that, all at once or incrementally.  If the master KDC should go offline, the others should have the necessary data for one to be (manually) promoted to be the new master.  It is still a one-master-at-a-time setup, though.
>
> Just making sure you don't think LDAP is the only way to run multiple KDCs for a realm....

Yes, I get that, thanks.

It's that we have a new clean slate to begin with, and want to be as
resilient as possible from the start.  The benefit of having a
multi-master (ldap backed) configuration would be no need to promote a
slave to replace a failing master, and also letting ldap take the
replication load.  Just want to be sure that nothing's going to byte
us.

Cheers

-- 
Rhod




More information about the Kerberos mailing list