Replicated LDAP as backend

Benjamin Kaduk kaduk at MIT.EDU
Wed Jul 23 21:58:55 EDT 2014


On Wed, 23 Jul 2014, Paul van der Vlis wrote:

> Hello,
>
> I am the administrator of a Kerberos system. The backend of Kerberos is
> LDAP. I use it for NFS home-directories and shares. Now there is a
> second location of the organisation, they would like to have the same
> system there.
>
> What I did is a replication of de LDAP to the new location, so the LDAP
> is read-only. And I've installed Kerberos with that LDAP as the backend.
> It seems to work. I create accounts on the old location and they are
> replicated to the new location. And I can use Kerberos on the new location.
>
> My question is: is this a good setup?
>
> A goal is, that we want to be able to work even when there is no
> internet connection between both locations.

That should be a fine setup.  The only thing that seems worth noting is 
that the "old" Kerberos server (KDC) is the master KDC, so administrative 
actions must be done against that site (and will not be possible from the 
new location if there is no connection between the two locations).

-Ben Kaduk


More information about the Kerberos mailing list