[32002] in Kerberos
multiple kdc masters with resilient LDAP backend
daemon@ATHENA.MIT.EDU (rhod davies)
Tue Feb 2 07:36:21 2010
MIME-Version: 1.0
Date: Tue, 2 Feb 2010 12:35:53 +0000
Message-ID: <f8b49e0c1002020435i73280106lb35aa05ac547755@mail.gmail.com>
From: rhod davies <nomrhod@googlemail.com>
To: Kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi,
I've been reading through the mail archives, and doing the obligatory
google search, but seem to be hitting a brick wall on trying to get a
better understanding of something that should be trivial to get a
handle on (I think).
MIT Kerberos 1.7 configured with a KLDAP backend to a multi-master
resilient LDAP
service; single realm.
I understand that we can run multiple KDCs in an autonomous way, but
sharing the same data store (in LDAP), this is good, and what I want
to have - i.e. a resilient KDC service. We can misplace a data
centre, but still offer a KDC service as LDAP has made sure that the
data is replicated around the globe.
There are references to individual/groups who have done this, and all
looks well. However what are the pitfalls with this approach?
Specifiaclly:
- Is any local state held by the krb5kdc process that would cause
issues down the line?
- Ar there any issues with running multiple master (same backing store
- LDAP) for the same realm?
In a similar vein can kadmind be made resilient in the same manner
(all documents I've seen so far are catagorical that only one kadmind
service should be running).
Many Thanks.
--
Rhod
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
