Multiple KDCs with OpenLDAP

Oliver Loch o.loch at gmx.net
Thu May 24 12:01:50 EDT 2012 

Hello,

thank you for your answers. Here some new questions:

- OpenLDAP multi master -> bad idea.

The multi master OpenLDAP setup works like a charm. As far as I can say there are no problems at all.

I read about the "inside" of the multi master setup and the objects are synched based on their entryCSN where the newest one wins. I experienced some (setup) trouble with synchronization in the beginning of the setup, but slapd was able to work that out and everything was ok in the end.

So given that the multi master synchronization is working, and the time sync works too, will I run into database problems with the KDC services? Is all the information stored in the DIT and can one of the KDCs get into trouble because the data in the tree doesn't match the one in it's cache (as far as there is one)? That's the main thing I'm concerned about.

- Multi master LDAP with multi KDC and LDAP database backend

If I get it right, normally you have one "master kdc" that is writeable for changes and stuff and then the changes of the database are pushed to the clients. So, in OpenLDAP terms, one provider, multiple consumers. But if one uses LDAP as the backend, then you get two providers and no consumers, don't you ?

The idea behind the multi (two) master setup is to have a failover solution for everything, so that one slapd or one kdc can go down. In the LDAP section of krb5.conf I'd add:
...
[dbmodules]
LDAP = {
	... lot's of other stuff here
	ldap_servers = ldaps://server1.foo.bar ldaps://server2.foo.bar
	...
}

and vice versa on the other host. All I want is that I do not have to deal with anything when failover is happening. Like a broken Database on one of the KDCs or conflicts because they both write to the DIT (write locks), or one of the KDCs crashes because the data returned from the DIT is not the one it expected or something like that.

Thanks again!

KR,

Oliver

Am 24.05.2012 um 14:54 schrieb Jan-Piet Mens:

>> Do I need to use the kprop tool if I want to run more than one KDC for
>> the same realm or can both KDCs just access the same database inside
>> the DIT of OpenLDAP at the same time?
> 
> Don't use kprop. The advantage of storing the KDC database in LDAP is
> that you make use of OpenLDAP's replication to carry the data over to
> your slave servers.
> 
>> The idea is to run two KDCs that each connect to one of the OpenLDAP
>> masters and are using the same database without the need of kprop.
> 
> Sounds fine to me, although I'm not too sure I would use the
> multi-master stuff, as it may screw up somewhere ... I'd set up a master
> to which all KDCs write and a number of slaves synce with syncrepl.
> 
>        -JP
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list