[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: scalability of heimdal replication

On Thu, 2004-03-18 at 07:52, Andreas wrote:
> On Wed, Mar 17, 2004 at 09:29:39PM +0100, Johan Danielsson wrote:
> > Andreas <andreas@conectiva.com.br> writes:
> > 
> > > Would it make sense to replicate a heimdal kerberos database to,
> > > say, 300 remote sites interconnected with a WAN link?
> > 
> > I can't see any immediate reason to do this. What are you trying to
> > accomplish?
> These remote sites need to be able to authenticate everyone, including people
> from the other sites. I guess establishing cross-realm authentication in this
> scenario would be too much, so I figured having only a single realm and using
> replication. Or perhaps some trick with the ldap backend?

You can replicate these things with LDAP, yes.  The problem is that
changes on the remote LDAP servers will not be allowed, given Heimdal's
current LDAP authentication modal.  

I *think* the kerberos solution to this is to only run kpasswdd/kadmind
on the central server.  Otherwise, it is quite possible to force the
remote site to rebind to the central LDAP server for updates, like Samba
does, but the code doesn't allow this at present.

Andrew Bartlett

Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

This is a digitally signed message part