Multiple KDCs with OpenLDAP

Jan-Piet Mens jpmens.dns at gmail.com
Fri Jun 1 02:20:22 EDT 2012 

> > The idea behind the multi (two) master setup is to have a failover  
> > solution for everything, so that one slapd or one kdc can go down.
> 
> It sounds like a good idea, but IMO it may be more trouble than it's  
> worth.

I've thrown aside my pessimism and have implemented the following
scenario with OpenLDAP MultiMaster replication: (forgive my drawing
skills...)

               +---------------------------+------------------+
               |                           |                +-|---------+
  +------------|------+        +-----------|------+         | +         |
  |            +      |        |           +      |         |           |
  |-------------------|        |------------------|         |  client   |
  |                   |        |                  |         |           |
  |                   |        |                  |         |           |
  |       KDC1    +   |        |      KDC2        |         +-----------+
  |          +    |   |    +------+          +    |
  |          |    |   |    |   |             |    |
  +----------|----|---+    |   +-------------|----+
             |    |        |                 |
             |    |        |                 |
             |    |        |                 |
             |    |        |                 |
  +----------|----|---+    |   +-------------|----+
  |          |    +--------|------->         |    |
  |          +---->   |    |   |             ++   |
  |      LDAP1        |    |   |     LDAP2        |
  |                +-------+   |                  |
  +-------------------+        +------------------+


> In particular, I assume that your LDAP clients will be able to  
> figure out which slapd server to write to when one goes down and  
> another takes over as provider, but what about the Kerberos clients?  

LDAP clients write to any of the LDAP servers; MMR takes care of
replicating changes to the other LDAP servers. I've tested with several
million ADD/MODIFY/INCREMENT operations thrown at theither ldap1 or
ldap2 and haven't broken replication yet...

> Kerberos still works with a single master KDC, with in most cases the  
> clients using DNS to locate it. But, how are you going to get those  
> Kerberos DNS records to change automatically and point to the new KDC  
> master as soon as another slapd server takes over as provider?

I'm not using DNS to locate the KDCs, rather specifying kdc1 and kdc2 in
krb5.conf, same for the kadmin server (Puppet helps). The configuration
of the KDCs proper (kdc.conf) specifies each of the LDAP servers in the
ldap_servers parameter (ldapi:// for its "closest" and ldaps:// for the
other)

I've taken down each of the four components involved, individually and
in pairs (e.g. KDC2 and LDAP1). The client contacts one of the KDCs
which speaks to one of the LDAP servers. As soon as the other LDAP
server returns to life, changes are replicated to it and, if contacted
by a KDC, can offer up-to-date entries to it.

What I haven't yet tested is whether using DNS records with different
weights would work, respectively how long a client will wait attempting
to reach each of the KDCs until it succeeds.

        -JP

More information about the Kerberos mailing list