Multiple KDCs with OpenLDAP

Jan-Piet Mens jpmens.dns at gmail.com
Thu May 24 14:31:01 EDT 2012 

> The multi master OpenLDAP setup works like a charm. As far as I can
> say there are no problems at all.

That is very good to hear. Maybe I should shrug my pessimism off and
give it a try. Considering I'm in the midst of a project setting up
Kerberos with an LDAP back-end, I might do that... :)

> So given that the multi master synchronization is working, and the
> time sync works too, will I run into database problems with the KDC
> services? Is all the information stored in the DIT and can one of the
> KDCs get into trouble because the data in the tree doesn't match the
> one in it's cache (as far as there is one)? That's the main thing I'm
> concerned about.

No, you won't. Everything is stored in the DIT (except for the stash
file which the KDC needs to obtain the credentials with which to connect
to the LDAP directory server). 

To my knowledge, the KDCs don't cache anything in files, so that won't
be a concern.

> - Multi master LDAP with multi KDC and LDAP database backend
> 
> If I get it right, normally you have one "master kdc" that is
> writeable for changes and stuff and then the changes of the database
> are pushed to the clients. So, in OpenLDAP terms, one provider,
> multiple consumers. But if one uses LDAP as the backend, then you get
> two providers and no consumers, don't you ?

Yes.

> The idea behind the multi (two) master setup is to have a failover
> solution for everything, so that one slapd or one kdc can go down. In
> the LDAP section of krb5.conf I'd add: ...
>
> [dbmodules]
> LDAP = {
> 	... lot's of other stuff here
> 	ldap_servers = ldaps://server1.foo.bar ldaps://server2.foo.bar
> 	...
> }

Looks sane to me.

> and vice versa on the other host. All I want is that I do not have to
> deal with anything when failover is happening. Like a broken Database
> on one of the KDCs or conflicts because they both write to the DIT
> (write locks), or one of the KDCs crashes because the data returned
> from the DIT is not the one it expected or something like that.

That should be possible to implement. 

(BTW and because your name sounds as though you master the German
 language, do you know this book http://www.kerberos-buch.de/ ? I
 thought it pretty good; a bit Ubuntu-lastig, but it may give you some
 inspiration.)

        -JP

More information about the Kerberos mailing list