[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: &bet;&nun;&vav;&shin;&alef;: kadmin talkingtoldapiproblem

On Tue, 2006-10-31 at 02:58 -0500, Andrew Bartlett wrote:
On Tue, 2006-10-31 at 02:32 -0500, Kent Nasveschuk wrote:
> I think I have this running now, well at least kadmin writes to LDAP.
> I was able to initialize the realm and add users. Couple questions:
> 1) Replication when using LDAP as backend. In the past I have used
> slurpd to replicate the master to slaves. I haven't used syncrepl yet
> but I realize that it is probably the way to go. When you factor in
> Heimdal, how can I replicate this? I'm new to Heimdal, one would think
> that replication can't be left to syncrepl anymore.
What other options are available to provide multiple KDCs and LDAP directories for enterprise use? I've gotten Heimdal to write to LDAP but there is no redundancy with this scenario. KDC writes to master and that's as far as I can go with that. I also need to have replication at different geographic locations.

The main issue is that if Heimdal attempts to write to a slave, then it
will fail.  This should just mean that you need to only run kadmind etc
on the master LDAP server.

> 2) When I add a user, it creates a new user with objectclass
> krb5Principal. If I have existing users, is it possible to add
> objectclass to users account? I'm not sure if this is the thing to do
> or keep krb5Principals separate.

I always try to combine them, and specify the kerberos details
(objectClass and krb5Principal) at account creation time.  

Andrew Bartlett