multiple KDCs and kadmin's talking to the same LDAP instance, is this okay?
checker at d6.com
Mon Jul 23 23:39:03 EDT 2018
I'm moving all the stuff running on a server so I can update it a couple
major versions so it needs a full wipe, and I'm in that awkward
transition phase right now. I have LDAP running on a different machine
now, with an ssh tunnel open between the two (the LDAP server ports
aren't exposed publicly), and some /etc/hosts file chicanery to get the
services that want to talk to LDAP on the old server talking to the new
server. Obviously krb5kdc and kadmin are the two ones relevant here,
although I have two other apps (one in C and one in perl) that talk to
both LDAP and libkadm5 so they're also doing the ssh tunnel thing.
Anyway, for moving the KDC et al., I need to wait for a DNS propagate
for the server name all my clients in the wild use, so I'm just going to
have both machines running the KDC and kadmin, the old machine running
them to the LDAP backend over the ssh tunnel, and the new machine
talking to LDAP directly. There's no problem with having these two KDCs
hitting the same LDAP server at the same time, right? It seems like the
normal way to scale kerberos with LDAP is to have LDAP replicate to each
KDC machine, which seems like it'd be basically the same thing assuming
instant replication speed. It seems like this would be strictly better
than that at least? Anything I should be worried about?
More information about the krbdev