Multiple KDCs with OpenLDAP
Jaap Winius
jwinius at umrk.nl
Thu May 31 22:36:40 EDT 2012
Quoting Oliver Loch <o.loch at gmx.net>:
> The idea behind the multi (two) master setup is to have a failover
> solution for everything, so that one slapd or one kdc can go down.
It sounds like a good idea, but IMO it may be more trouble than it's
worth. In particular, I assume that your LDAP clients will be able to
figure out which slapd server to write to when one goes down and
another takes over as provider, but what about the Kerberos clients?
Kerberos still works with a single master KDC, with in most cases the
clients using DNS to locate it. But, how are you going to get those
Kerberos DNS records to change automatically and point to the new KDC
master as soon as another slapd server takes over as provider?
Cheers,
Jaap
More information about the Kerberos
mailing list