Multiple KDCs with OpenLDAP

Jaap Winius jwinius at umrk.nl
Thu May 31 22:36:40 EDT 2012


Quoting Oliver Loch <o.loch at gmx.net>:

> The idea behind the multi (two) master setup is to have a failover  
> solution for everything, so that one slapd or one kdc can go down.

It sounds like a good idea, but IMO it may be more trouble than it's  
worth. In particular, I assume that your LDAP clients will be able to  
figure out which slapd server to write to when one goes down and  
another takes over as provider, but what about the Kerberos clients?  
Kerberos still works with a single master KDC, with in most cases the  
clients using DNS to locate it. But, how are you going to get those  
Kerberos DNS records to change automatically and point to the new KDC  
master as soon as another slapd server takes over as provider?

Cheers,

Jaap


More information about the Kerberos mailing list