Multiple KDCs with OpenLDAP

Mantas Mikulėnas grawity at
Fri Jun 1 00:13:16 EDT 2012

On Fri, Jun 1, 2012 at 5:36 AM, Jaap Winius <jwinius at> wrote:
> Quoting Oliver Loch <o.loch at>:
>> The idea behind the multi (two) master setup is to have a failover
>> solution for everything, so that one slapd or one kdc can go down.
> It sounds like a good idea, but IMO it may be more trouble than it's
> worth. In particular, I assume that your LDAP clients will be able to
> figure out which slapd server to write to when one goes down and
> another takes over as provider,

There is no such thing as "taking over" in a multi-master setup of
OpenLDAP -- all servers are providers and consumers at the same time
("multiple masters" literally), and writes can be sent to /any/ active

> but what about the Kerberos clients?
> Kerberos still works with a single master KDC, with in most cases the
> clients using DNS to locate it. But, how are you going to get those
> Kerberos DNS records to change automatically and point to the new KDC
> master as soon as another slapd server takes over as provider?

AFAIK [although I may be wrong], ordinary Kerberos works fine with
multiple KDCs, and the "master" designation is only used when
performing password changes or other write operations
(kpasswd/kadmin), since normal kprop is unidirectional. But since the
multi-master setup allows writing to any LDAP server, it's possible to
have kadmind running on all KDCs, and modifications can be done on any
of them.

Mantas Mikulėnas

More information about the Kerberos mailing list