[30097] in Kerberos
Re: Two (or more) KDCs and a single LDAP directory
daemon@ATHENA.MIT.EDU (Simo Sorce)
Tue Jul 15 14:50:16 2008
From: Simo Sorce <ssorce@redhat.com>
To: Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
In-Reply-To: <1216135316.1827.28.camel@klausk.br.ibm.com.br.ibm.com>
Date: Tue, 15 Jul 2008 14:48:07 -0400
Message-Id: <1216147687.23973.52.camel@localhost.localdomain>
Mime-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, 2008-07-15 at 12:21 -0300, Klaus Heinrich Kiwi wrote:
> Hi,
>
> I'd like to know what are the supported methods of usage if I have to
> use two or more KDC instances with one LDAP directory. I can see a
> couple of scenarios but I'm not really sure what is the supported way of
> dealing with them. For example:
>
> 1) Two KDC servers, one LDAP server, same realm:
> Since LDAP has no locking mechanism, would there be potential race
> conditions? Is kpropd the correct way of doing this?
Internal locking guarantees operations are atomic. So, if the ldap
client is written correctly, data should always be consistent.
> 2) Two KDC servers, one LDAP server, separate realms:
> I don't see why I couldn't have two KDC instances using the same LDAP
> server, if they are not dealing with the same realm.
As long as you have 2 separate parts of the tree dedicated to the 2
realms, there should be no problem.
> 3) one KDC server, two mirror LDAP servers, same realm:
> The way I see we would need LDAP synchronization between the LDAP
> servers
Using native LDAP replication is usually the way to go.
> 4) two KDC servers, two mirror LDAP servers, same realm:
> We should use kpropd + ldap synchronization?
I don't know what kpropd would buy you, the data is already replicated
by ldap.
> 5) two KDC servers, two mirror LDAP servers, separate realms:
> same as (2)?
yup.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
