[prev in list] [next in list] [prev in thread] [next in thread]
List: kerberos
Subject: Re: primary/secondary config question
From: edward () murrell ! co ! nz
Date: 2007-12-13 5:01:37
Message-ID: 2250.124.197.37.44.1197522097.squirrel () zinc ! murrell ! co ! nz
[Download RAW message or body]
I haven't used LDAP for storing data, but since Kerberos doesn't hold any
state, this shouldn't be a problem, providing you have your replication
set up properly. If you are using a single master LDAP, you should be able
to tell the kadmind-running KDC to refer to the master LDAP to write it's
changes to, or if you can, use multi-master replication - although that
could have 'odd' effects if a client updates it's password on one KDC,
then uses the same password on another before the changes are pushed out.
> Would there be any problems having both kdcs modifying
> the database?
>
> thanks
>
> Steve
>
> --- edward@murrell.co.nz wrote:
>
>> Extra complexity for no benefit?
>>
>> The load on the LDAP server is likely to be higher
>> than the load on the
>> KDC, so spreading the load of the KDC's isn't going
>> to change anything
>> unless your one of your KDC's is really really slow.
>> If you want
>> redundancy, I would maybe consider making slave
>> replicas of the LDAP
>> database on the KDC machines, and pointing the KDCs
>> at the local replica,
>> followed by the other two.
>>
>> Edward
>>
>> > Could someone review this setup, and provide some
>> > feedback?
>> >
>> > I am using an ldap backend, with a primary and
>> > secondary kdc pointing to the same ldap server
>> (only
>> > the primary runs kadmind).Both the primary and the
>> > secondary can affect the database. I'm wondering
>> if
>> > there are any reasons why I wouldn't want to do
>> this
>> > is a production environment.
>> >
>> > Thanks in advance!
>> >
>> > Steve
>> >
>>
>> ________________________________________________
>> Kerberos mailing list Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
>
> ____________________________________________________________________________________
> Never miss a thing. Make Yahoo your home page.
> http://www.yahoo.com/r/hs
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic