[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kerberos
Subject:    Re: primary/secondary config question
From:       edward () murrell ! co ! nz
Date:       2007-12-13 5:01:37
Message-ID: 2250.124.197.37.44.1197522097.squirrel () zinc ! murrell ! co ! nz
[Download RAW message or body]

I haven't used LDAP for storing data, but since Kerberos doesn't hold any
state, this shouldn't be a problem, providing you have your replication
set up properly. If you are using a single master LDAP, you should be able
to tell the kadmind-running KDC to refer to the master LDAP to write it's
changes to, or if you can, use multi-master replication - although that
could have 'odd' effects if a client updates it's password on one KDC,
then uses the same password on another before the changes are pushed out.

> Would there be any problems having both kdcs modifying
> the database?
>
> thanks
>
> Steve
>
> --- edward@murrell.co.nz wrote:
>
>> Extra complexity for no benefit?
>>
>> The load on the LDAP server is likely to be higher
>> than the load on the
>> KDC, so spreading the load of the KDC's isn't going
>> to change anything
>> unless your one of your KDC's is really really slow.
>> If you want
>> redundancy, I would maybe consider making slave
>> replicas of the LDAP
>> database on the KDC machines, and pointing the KDCs
>> at the local replica,
>> followed by the other two.
>>
>> Edward
>>
>> > Could someone review this setup, and provide some
>> > feedback?
>> >
>> > I am using an ldap backend, with a primary and
>> > secondary kdc pointing to the same ldap server
>> (only
>> > the primary runs kadmind).Both the primary and the
>> > secondary can affect the database. I'm wondering
>> if
>> > there are any reasons why I wouldn't want to do
>> this
>> > is a production environment.
>> >
>> > Thanks in advance!
>> >
>> > Steve
>> >
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
>
>       ____________________________________________________________________________________
> Never miss a thing.  Make Yahoo your home page.
> http://www.yahoo.com/r/hs
>

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic