Re: primary/secondary config question

From: edward@xxxxxxxxxxxxx
Date: Thu, 13 Dec 2007 18:01:37 +1300 (NZDT)

I haven't used LDAP for storing data, but since Kerberos doesn't hold any
state, this shouldn't be a problem, providing you have your replication
set up properly. If you are using a single master LDAP, you should be able
to tell the kadmind-running KDC to refer to the master LDAP to write it's
changes to, or if you can, use multi-master replication - although that
could have 'odd' effects if a client updates it's password on one KDC,
then uses the same password on another before the changes are pushed out.

Would there be any problems having both kdcs modifying
the database?

thanks

Steve

--- edward@xxxxxxxxxxxxx wrote:

Extra complexity for no benefit?

The load on the LDAP server is likely to be higher
than the load on the
KDC, so spreading the load of the KDC's isn't going
to change anything
unless your one of your KDC's is really really slow.
If you want
redundancy, I would maybe consider making slave
replicas of the LDAP
database on the KDC machines, and pointing the KDCs
at the local replica,
followed by the other two.

Edward

Could someone review this setup, and provide some
feedback?

I am using an ldap backend, with a primary and
secondary kdc pointing to the same ldap server

(only

the primary runs kadmind).Both the primary and the
secondary can affect the database. I'm wondering

if

there are any reasons why I wouldn't want to do

this

is a production environment.

Thanks in advance!

Steve

________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos

____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs

Prev by Date: Re: AD 2003; MS's ktpass made account corrupted
Next by Date: RE: AD 2003; MS's ktpass made account corrupted
Previous by thread: Re: primary/secondary config question
Next by thread: Venustech reports of MIT krb5 vulns [CVE-2007-5894 CVE-2007-5901 CVE-2007-5902 CVE-2007-5971 CVE-2007-5972]
Index(es):
- Date
- Thread

Relevant Pages

Re: Openldap clustering ?
... you're off to a good start with FreeBSD and OpenLDAP. ... you can set up master-master replication between a couple of OpenLDAP ... The really handy thing about LDAP is that you can do quite a reasonable ... Simply specify a series of LDAP servers in the ldap.conf (or ...
(freebsd-questions)
Re: robust OpenLDAP installation using replication in production env
... >>In order to get a failsafe environment we need the replication. ... >>specification because write requests to the ldap server should ... > Actually they are redirected to the master. ...
(comp.os.linux.misc)
Re: High availability mail server options
... > only need to replicate the mail partition contents and the LDAP ... If you really need down-to-the second replication you might look at ... a 'warm' backup server kept up to date with frequent rsyncs is ...
(Fedora)
Re: ADAM replication via LDAP
... ADAM replicates over RPC, not LDAP. ... Joe Richards Microsoft MVP Windows Server Directory Services ... the replication uses. ...
(microsoft.public.windows.server.active_directory)
Netscape Directory Server 6.1 LDAP servers stopped replicating to each other
... We run a pair of Netscape directory servers V6.1 on two separate ... boxes and their LDAP entries replicate/synchronize to each other. ... This replication has been running fine for years and couple of ... remove replication agreement. ...
(SunManagers)