Multiple KDCs with OpenLDAP
Russ Allbery
rra at stanford.edu
Fri Jun 1 02:29:41 EDT 2012
Jan-Piet Mens <jpmens.dns at gmail.com> writes:
> What I haven't yet tested is whether using DNS records with different
> weights would work, respectively how long a client will wait attempting
> to reach each of the KDCs until it succeeds.
Our experience is "not long." There can be a noticable delay when we take
down our primary KDC if you're looking for it, but it's well within the
sort of variation that users tend not to notice.
We list one of our KDCs as primary in all of our configuration and give it
a preferred priority in DNS, and yet we get substantial traffic to the
second KDC just because the primary KDC, while up and responding, is
occasionally slightly slow (by which I mean delays on the order of a
second, not more).
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list