[32003] in Kerberos
Re: multiple kdc masters with resilient LDAP backend
daemon@ATHENA.MIT.EDU (Ken Raeburn)
Tue Feb 2 08:26:05 2010
Mime-Version: 1.0 (Apple Message framework v1077)
From: Ken Raeburn <raeburn@mit.edu>
In-Reply-To: <f8b49e0c1002020435i73280106lb35aa05ac547755@mail.gmail.com>
Date: Tue, 2 Feb 2010 08:25:44 -0500
Message-Id: <000774FA-B62D-4C7A-AC7A-128556CE69F1@mit.edu>
To: rhod davies <nomrhod@googlemail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Feb 2, 2010, at 07:35, rhod davies wrote:
> I understand that we can run multiple KDCs in an autonomous way, but
> sharing the same data store (in LDAP), this is good, and what I want
> to have - i.e. a resilient KDC service. We can misplace a data
> centre, but still offer a KDC service as LDAP has made sure that the
> data is replicated around the globe.
You can also run multiple KDCs with replicated data without LDAP; the data just needs to be replicated from one master KDC to the others, and MIT ships code to do that, all at once or incrementally. If the master KDC should go offline, the others should have the necessary data for one to be (manually) promoted to be the new master. It is still a one-master-at-a-time setup, though.
Just making sure you don't think LDAP is the only way to run multiple KDCs for a realm....
Ken
--
Ken Raeburn / raeburn@mit.edu / no longer at MIT Kerberos Consortium
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
