Mulltiple domains in one KDC process?
Rick van Rein (OpenFortress)
rick at openfortress.nl
Thu Oct 17 10:57:48 EDT 2013
Hi,
>> Still, this isn't dynamically configurable… is it the only way to do it?
>
> It's the only supported way to do it.
Perhaps that's a feature request then, at least for the LDAP-backed versions:
- next -r to point to individual krbRealmContainer, have -R to point to a krbContainer containing a dynamic set
- as part of [realms] specifying (with $REALM in various places) a generic pattern for realms, and resolving this dynamically
- load domain, KDC, adminserver etc. from LDAP
Since you don't sound as if this would be tasteless conduct -- does it sound to you like a k5wiki-style "Project", or is it a "Welcome Patch"?
> The unsupported way [black magic]
…sounds a no-go area for long-term stability, but thanks.
>> And will kadmin / kpasswd work?
>
> We do not currently have multi-realm support for kadmind (and by
> extension, password-changes). Each realm needs its own kadmind running
> on a different port.
A bit awkward, but less problematic, since that is internal stuff -- where IP's are not in such tight supply. Yes, IPv6, I know :-)
Thanks,
-Rick
More information about the Kerberos
mailing list