multiple KDCs and kadmin's talking to the same LDAP instance, is this okay?

Chris Hecker checker at
Mon Jul 23 23:39:03 EDT 2018

I'm moving all the stuff running on a server so I can update it a couple 
major versions so it needs a full wipe, and I'm in that awkward 
transition phase right now.  I have LDAP running on a different machine 
now, with an ssh tunnel open between the two (the LDAP server ports 
aren't exposed publicly), and some /etc/hosts file chicanery to get the 
services that want to talk to LDAP on the old server talking to the new 
server.  Obviously krb5kdc and kadmin are the two ones relevant here, 
although I have two other apps (one in C and one in perl) that talk to 
both LDAP and libkadm5 so they're also doing the ssh tunnel thing.

Anyway, for moving the KDC et al., I need to wait for a DNS propagate 
for the server name all my clients in the wild use, so I'm just going to 
have both machines running the KDC and kadmin, the old machine running 
them to the LDAP backend over the ssh tunnel, and the new machine 
talking to LDAP directly.  There's no problem with having these two KDCs 
hitting the same LDAP server at the same time, right?  It seems like the 
normal way to scale kerberos with LDAP is to have LDAP replicate to each 
KDC machine, which seems like it'd be basically the same thing assuming 
instant replication speed. It seems like this would be strictly better 
than that at least? Anything I should be worried about?


More information about the krbdev mailing list