[37024] in Kerberos
Re: Multi-tenancy in MIT KDC
daemon@ATHENA.MIT.EDU (Tim Mooney)
Fri May 29 19:13:54 2015
Date: Fri, 29 May 2015 18:00:20 -0500 (CDT)
From: Tim Mooney <Tim.Mooney@ndsu.edu>
To: "kerberos@mit.edu" <kerberos@mit.edu>
In-Reply-To: <759f2b6837994ba2b62e6bc5934e3c14@EX13-MBX-019.vmware.com>
Message-ID: <alpine.SOC.2.11.1505291748510.1771@dogbert.cc.ndsu.NoDak.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
In regard to: Multi-tenancy in MIT KDC, Firouzeh Jalilian said (at 10:24pm...:
> I would like to know if there is any support currently for multi-tenancy
> in MIT KDC?
What do you mean by multi-tenancy? Do you mean one krb5kdc process
serving multiple distinct realms? If so, then yes, that's possible.
We've served 11 different realms from one krb5kdc process.
You have to run separate kadmind processes, each on a separate port,
because those can't serve multiple realms. On your secondary kdcs,
you also need to run a separate kpropd per realm, each on its own
port.
We've done it for years and it works, but if we were starting over,
these days I'm not certain I would choose the same path. Depending on
your realms, it might be better to use separate VMs or containers,
depending on what you're comfortable with.
Tim
--
Tim Mooney Tim.Mooney@ndsu.edu
Enterprise Computing & Infrastructure 701-231-1076 (Voice)
Room 242-J6, Quentin Burdick Building 701-231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
