Am 24.05.2012 18:01, schrieb Oliver Loch: > So given that the multi master synchronization is working, and the > time sync works too, will I run into database problems with the KDC > services? Is all the information stored in the DIT and can one of > the KDCs get into trouble because the data in the tree doesn't match > the one in it's cache (as far as there is one)? That's the main thing > I'm concerned about.
- I dont' think there is a cache. In my setup with OpenLDAP slapd is queried every time I do a kinit - During initial synchronization of a slapd instance some principal entries may not yet be synchronized and will be reported as "Client not found in Kerberos database ...". So slapd instances should only be activated in kdc.conf after initial synchronization of the LDAP database. > > - Multi master LDAP with multi KDC and LDAP database backend > > If I get it right, normally you have one "master kdc" that is writeable > for changes and stuff and then the changes of the database are pushed to > the clients. So, in OpenLDAP terms, one provider, multiple consumers. > But if one uses LDAP as the backend, then you get two providers and > no consumers, don't you ? Yes, it is possible to have multi master KDCs when using LDAP as backend. I have this setup running for a while On the client side you can put multiple passwd_server line in krb5.conf or configure multiple _kpasswd._udp.YOUR.REALM SRV records in your DNS service. However, admin_server can only be specified on time. -- Mark Pröhl [email protected] www.kerberos-buch.de ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
