[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Two Heimdal KDC's with openldap backend



smbk5pwd is the openldap module that syncs passwords between samba,
openldap, and heimdal.  It is the coolest thing since ... well, it's way
cooler than sliced bread.

As long as iprop doesn't replicate anything that ISN'T stored in the
LDAP database, then LDAP replication should do the trick and I don't
have to worry about it.

I guess my question is: does iprop replicate anything that isn't stored
in the ldap database?

- scott

Henry B. Hotz wrote:
> I'm used to doing that with Heimdal's iprop daemons.  They work well
> if properly watched and restarted (though that should be much better
> in current versions).
>
> For an LDAP back end, I would think that any full-up LDAP replication
> system would be sufficient.  LDAP is just some arbitrary (slower)
> database to Heimdal.  I don't know what's special about "smb5pwd".
>
> On Apr 30, 2008, at 5:12 PM, Scott Grizzard wrote:
>
>> I have the following setup:
>>
>> KDC with OpenLDAP backend
>> Samba with same OpenLDAP backend
>> Password Syncing through smbk5pwd
>>
>> I want to add a second server to the network for high availability and
>> faster auths for a distant portion of the network.
>>
>> Can I set up the second server as:
>> KDC with OpenLDAP backend
>> Samba BackupDomain Contoller with OpenLDAP
>> Password Syncing through smbk5pwd
>>
>> I want to setup OpenLDAP in multi-master mode.  If I do this though, I
>> have a problem because heimdal will attempt to sync passwords across the
>> kdc's using its system, and openldap will also try to sync using the
>> multi-master replication.
>>
>> Can I just turn off heimdal's syncing (not even install it), just
>> install the second KDC as if I wasn't going to sync it at all, and then
>> let OpenLDAP keep the database in sync.
>>
>> Is all the KDC's need from each other stored in that ldap backend, or
>> will there be stuff missing?
>>
>> Cheers,
>>
>> -- Scott
>
> ------------------------------------------------------
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
>
>
>
>