[30095] in Kerberos
Two (or more) KDCs and a single LDAP directory
daemon@ATHENA.MIT.EDU (Klaus Heinrich Kiwi)
Tue Jul 15 11:23:19 2008
From: Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
To: Kerberos@mit.edu
Date: Tue, 15 Jul 2008 12:21:56 -0300
Message-Id: <1216135316.1827.28.camel@klausk.br.ibm.com.br.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi,
I'd like to know what are the supported methods of usage if I have to
use two or more KDC instances with one LDAP directory. I can see a
couple of scenarios but I'm not really sure what is the supported way of
dealing with them. For example:
1) Two KDC servers, one LDAP server, same realm:
Since LDAP has no locking mechanism, would there be potential race
conditions? Is kpropd the correct way of doing this?
2) Two KDC servers, one LDAP server, separate realms:
I don't see why I couldn't have two KDC instances using the same LDAP
server, if they are not dealing with the same realm.
3) one KDC server, two mirror LDAP servers, same realm:
The way I see we would need LDAP synchronization between the LDAP
servers
4) two KDC servers, two mirror LDAP servers, same realm:
We should use kpropd + ldap synchronization?
5) two KDC servers, two mirror LDAP servers, separate realms:
same as (2)?
Thanks,
-Klaus
--
Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
Linux Security Development, IBM Linux Technology Center
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
