[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: =?utf-8?q?=3A=D7=90=D7=A9=D7=95=D7=A0=D7=91_kadmin_talkingto?= ldapiproblem



On Thursday 02 November 2006 05:53, Kent Nasveschuk wrote:
> On Thu, 2006-11-02 at 00:03 -0800, Howard Chu wrote:
> > Kent Nasveschuk wrote:
> > > On Wed, 2006-11-01 at 22:42 -0800, Howard Chu wrote:
> > >> Kent Nasveschuk wrote:
> > >> > On Tue, 2006-10-31 at 02:58 -0500, Andrew Bartlett wrote:
> > >> >> On Tue, 2006-10-31 at 02:32 -0500, Kent Nasveschuk wrote:
> > >> >> > I think I have this running now, well at least kadmin writes to
> > >> >> > LDAP. I was able to initialize the realm and add users. Couple
> > >> >> > questions:
> > >> >> >
> > >> >> > 1) Replication when using LDAP as backend. In the past I have
> > >> >> > used slurpd to replicate the master to slaves. I haven't used
> > >> >> > syncrepl yet but I realize that it is probably the way to go.
> > >> >> > When you factor in Heimdal, how can I replicate this? I'm new to
> > >> >> > Heimdal, one would think that replication can't be left to
> > >> >> > syncrepl anymore.
> > >>
> > >> Once the info is in LDAP, it doesn't matter where it came from. Why in
> > >> the world would you think that Heimdal doesn't work with syncrepl?
> > >
> > > I know syncrepl will work with the LDAP side, how do I replicate KDCs
> > > with LDAP backend?
>
> So the KDC slave propagates changes to the master KDC
> Master writes changes to LDAP
> syncrepl replicates changes from master to LDAP slaves
> KDC slaves see changes on LDAP backend
>
> Do I have that right?
>

Why do you want to write to your KDC slaves? There is no multi-master mode in 
heimdal AFAIK, so writes have to go to the master. The LDAP backend makes no 
difference there, instead of hprop/iprop you use LDAP syncrepl in order to 
push changes to the slaves. I'm running it this way in our new setup and I 
haven't encountered any problems so far. You run kadmind and kpasswdd only on 
the master and point "admin_server" in your krb5.conf to it.

> > This is no different than any other LDAP replication scenario. Set up a
> > slapd slave wherever you want to run a replicated KDC. Use chaining to
> > forward KDC writes on the slaves up to the master.

Karsten.
-- 
"Deliver yesterday, code today, think tomorrow."