[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: scalability of heimdal replication
At 8:25 AM +0100 3/18/04, Johan Danielsson wrote:
>Andreas <email@example.com> writes:
>> These remote sites need to be able to authenticate everyone,
>> including people from the other sites. I guess establishing
>> cross-realm authentication in this scenario would be too much, so I
>> figured having only a single realm and using replication.
>But the clients can't talk to a "central" kdc?
300 slaves is a requirement that needs a bit of explaining. Clients
don't talk a lot to KDC's so a low-bandwidth connection should be
fine as long as it's reliable. If you really have 300 locations that
may have to operate autonomously for a while (not even talk to each
other) then maybe you have a case.
Normally you only have around 3 KDC's total, not 300.
IF (and I say IF!) you need 300 then I would suggest you craft a
fan-out and drive some slaves from other slaves.
time 0 master -> s1
time 1 master -> s2 s1 -> s3
time 2 master -> s4 s1 -> s5 s2 -> s6 s3 -> s7
time 3 master -> s8 s1 -> s9 s2 -> s10 s3 -> s11
s4 -> s12 etc...
Looks pretty tedious to set up, and if s1 fails then half your slaves
don't get updated. So there are reliability issues to address. If s1
- s3 are reliable enough to justify their place in this hierarchy
then aren't they reliable enough for the clients to just talk to them
So. To answer the original question: yes you can do that. But it's
probably a bad idea.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or firstname.lastname@example.org