Multiple KDCs with OpenLDAP
Mantas Mikulėnas
grawity at gmail.com
Fri Jun 1 00:13:16 EDT 2012
On Fri, Jun 1, 2012 at 5:36 AM, Jaap Winius <jwinius at umrk.nl> wrote:
> Quoting Oliver Loch <o.loch at gmx.net>:
>
>> The idea behind the multi (two) master setup is to have a failover
>> solution for everything, so that one slapd or one kdc can go down.
>
> It sounds like a good idea, but IMO it may be more trouble than it's
> worth. In particular, I assume that your LDAP clients will be able to
> figure out which slapd server to write to when one goes down and
> another takes over as provider,
There is no such thing as "taking over" in a multi-master setup of
OpenLDAP -- all servers are providers and consumers at the same time
("multiple masters" literally), and writes can be sent to /any/ active
server.
> but what about the Kerberos clients?
> Kerberos still works with a single master KDC, with in most cases the
> clients using DNS to locate it. But, how are you going to get those
> Kerberos DNS records to change automatically and point to the new KDC
> master as soon as another slapd server takes over as provider?
AFAIK [although I may be wrong], ordinary Kerberos works fine with
multiple KDCs, and the "master" designation is only used when
performing password changes or other write operations
(kpasswd/kadmin), since normal kprop is unidirectional. But since the
multi-master setup allows writing to any LDAP server, it's possible to
have kadmind running on all KDCs, and modifications can be done on any
of them.
--
Mantas Mikulėnas
More information about the Kerberos
mailing list