SASL/GSSAPI bind in LDAP plugin?
Will Fiveash
William.Fiveash at sun.com
Thu Feb 16 18:48:58 EST 2006
On Thu, Feb 16, 2006 at 03:33:23PM -0800, Henry B. Hotz wrote:
> On Feb 16, 2006, at 2:47 PM, Will Fiveash wrote:
>
> >On Thu, Feb 16, 2006 at 12:48:36PM -0800, Henry B. Hotz wrote:
> >>
> >>
> >>I don't think this answers the question. If you're using Kerberized
> >>replication utilities then you need to configure slave machines to
> >>authenticate against an external kdc to bootstrap. This has nothing
> >>to do with LDAP back-ends.
> >
> >I originally started this thread trying to understand a scenario like
> >the one pictured below (figure thanks to JavE):
> >
> > +-------+ +-------+ +-------+
> > | KDC | | KDC | | KDC |
> > +--|----+ +--+----+ +-.-'---+
> > `-. | .-'
> > `-. | .-'
> > `. | .-'
> > `-. | .-'
> > `-.-'
> > +---------+
> > | DS/KDC |
> > | (KDB) |
> > +---------+
>
> For this to be reasonable I think you would want approximately as
> many DS's as KDC's. I guess the original proposal was that the DS/
> KDC would be used to support a cold startup, but no user interaction
> (otherwise what are the pure KDC's for?).
Yes, the DS/KDC could be used to bootstrap the other KDC(s) only.
> Given good geographic distribution of servers and external
> authentication I suppose warm- starts would be easy.
> OR: are we considering an architecture where the Kerberos master has
> its database in LDAP, but the Kerberos slaves get theirs via kprop?
I was not considering this.
--
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
More information about the krbdev
mailing list