Extensible kadm5 policies

Dmitri Pal dpal at redhat.com
Tue Nov 1 20:29:33 EDT 2011

> I'm also still very dubious that putting the KDC database in an LDAP
> server is a good idea for most people.  That's a huge increase in
> complexity, and introduces a lot of additional things that can go wrong.
> We spend about half of a full-time staff member maintaining our LDAP
> environment, possibly more, including handling things like database and
> performance tuning, upgrades to new versions of OpenLDAP, weird
> interactions with underlying libraries, ACL management, changing to
> cn=config, weird load spikes, and so forth.  The KDCs require maybe five
> hours a month.  The load profile isn't the same, of course, but I think
> that speaks to complexity issues.
If you count AD the KDC+LDAP is the most deployed configuration in the
world. The the problem is not in the LDAP itself but rather in level of
the manageability of the solution as a whole.
The issues you had prove that FreeIPA project is the right way to
address the manageability of KDC with LDAP in the open source. Once it
is solved you are left with unified identity and authentication source
and multi master replication that are clear benefits over the pure KDC
based solution.

Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.

Looking to carve out IT costs?

More information about the krbdev mailing list