kerberos openldap
Jaap Winius
jwinius at umrk.nl
Sat Jul 3 09:06:09 EDT 2010
On Tue, 29 Jun 2010 05:34:25 -0700, Thiago Gonzaga B. Galvão wrote:
> I have an openldap server working on my network, and it stores my users
> info. I'm making a kerberos server on another machine. Can kerberos
> server use that ldap database, that it's on another machine? ...
Strictly speaking, no, because a remote LDAP server is rather useless to
a Kerberos server.
On the other hand, an LDAP server can use a remote Kerberos server for
authentication and encryption. In fact, this is a rather popular
solution. See:
OpenLDAP provider with MIT Kerberos V
http://www.rjsystems.nl/en/2100-openldap-provider-kerberos.php
This works fine in a two-server system like yours, except that it does
not offer much in the way of redundancy: instead of just one, now two
servers must always be up for your LDAP service to remain available.
That's not exactly a recipe for increased reliability.
> ... Or should both stay on the same machine?
Indeed. In your case, a better solution would be to run both an OpenLDAP
provider server and a Kerberos master server on the first machine, with
the OpenLDAP server acting as the backend database for the Kerberos
server. Then, use the second machine as an OpenLDAP consumer and Kerberos
slave server. This way, you will increase your redundancy by 100% instead
of decreasing it my 50%. See:
Integrated Kerberos-OpenLDAP provider
http://www.rjsystems.nl/en/2100-kerberos-openldap-provider.php
This construction also allows your Kerberos server to take advantage of
the much better replication engine that comes with OpenLDAP.
Cheers,
Jaap
More information about the Kerberos
mailing list