Multiple KDCs with OpenLDAP
Mark Pröhl
mark at mproehl.net
Fri May 25 14:16:22 EDT 2012
Am 24.05.2012 18:01, schrieb Oliver Loch:
> So given that the multi master synchronization is working, and the
> time sync works too, will I run into database problems with the KDC
> services? Is all the information stored in the DIT and can one of
> the KDCs get into trouble because the data in the tree doesn't match
> the one in it's cache (as far as there is one)? That's the main thing
> I'm concerned about.
- I dont' think there is a cache. In my setup with OpenLDAP slapd is
queried every time I do a kinit
- During initial synchronization of a slapd instance some principal
entries may not yet be synchronized and will be reported as "Client
not found in Kerberos database ...". So slapd instances should only
be activated in kdc.conf after initial synchronization of the LDAP
database.
>
> - Multi master LDAP with multi KDC and LDAP database backend
>
> If I get it right, normally you have one "master kdc" that is writeable
> for changes and stuff and then the changes of the database are pushed to
> the clients. So, in OpenLDAP terms, one provider, multiple consumers.
> But if one uses LDAP as the backend, then you get two providers and
> no consumers, don't you ?
Yes, it is possible to have multi master KDCs when using LDAP as
backend. I have this setup running for a while
On the client side you can put multiple passwd_server line in krb5.conf
or configure multiple _kpasswd._udp.YOUR.REALM SRV records in your DNS
service. However, admin_server can only be specified on time.
--
Mark Pröhl
mark at mproehl.net
www.kerberos-buch.de
More information about the Kerberos
mailing list