[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on LDAP support in heimdal

Realm names tend to be driven by org charts.

Replication tends to be driven by geography (network geography,  
including firewall locations).

If and only if they are very similar, then you can maybe get away with  
just two servers.  Geographic (physical, network and power) diversity  
is good for reliability.

On Oct 30, 2005, at 9:51 PM, Howard Chu wrote:

> But I question the need to talk to a remote LDAP server in the first  
> place. How many KDCs do you usually deploy in a network? I think the  
> right answer in any given domain/realm is One, plus a backup. When you  
> have geographically diverse users, you usually split the realm and  
> create a local KDC for that purpose... As a general rule, you don't  
> want to have to look Very Far Away to get an answer to an  
> authentication question.

I would think you would want one ldap server/kerberos server.   
Otherwise you don't have the reliability/diversity that the number of  
kdc's would imply.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu