Kerberos & LDAP
Guillaume Rousse
Guillaume.Rousse at inria.fr
Sun Jan 17 06:50:18 EST 2010
Le 16/01/2010 06:49, Prasad (普拉萨德) a écrit :
> I am ok that we normally use the Kerberos to keep the password and LDAP is
> just for authorization. But then if my DNS Goes down, then no one can login
> to the system because Kerberos is highly dependent on the DNS and NTP.
'Highly' is a bit over-exagerated here...
If your DNS goes down, your main problem is not autentication, it's
reaching the resource you're wanting to access, unless you're refering
to local user autentication on a workstation. And if that's such a
concern, and your DNS is so fragile, nothing prevent you from hardcoding
critical resource adresses in /etc/hosts files.
And NTP is just a way to ensure various clock stay synchronized
permanently. Unless you're using virtualisation technologies making
system clocks unreliable, computers don't drift so much to exceed
maximum kerberos time skew (which is configurable moreover) before
several days usually.
--
BOFH excuse #445:
Browser's cookie is corrupted -- someone's been nibbling on it.
More information about the Kerberos
mailing list