[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Two Heimdal KDC's with openldap backend

I'm used to doing that with Heimdal's iprop daemons.  They work well  
if properly watched and restarted (though that should be much better  
in current versions).

For an LDAP back end, I would think that any full-up LDAP replication  
system would be sufficient.  LDAP is just some arbitrary (slower)  
database to Heimdal.  I don't know what's special about "smb5pwd".

On Apr 30, 2008, at 5:12 PM, Scott Grizzard wrote:

> I have the following setup:
> KDC with OpenLDAP backend
> Samba with same OpenLDAP backend
> Password Syncing through smbk5pwd
> I want to add a second server to the network for high availability and
> faster auths for a distant portion of the network.
> Can I set up the second server as:
> KDC with OpenLDAP backend
> Samba BackupDomain Contoller with OpenLDAP
> Password Syncing through smbk5pwd
> I want to setup OpenLDAP in multi-master mode.  If I do this though, I
> have a problem because heimdal will attempt to sync passwords across  
> the
> kdc's using its system, and openldap will also try to sync using the
> multi-master replication.
> Can I just turn off heimdal's syncing (not even install it), just
> install the second KDC as if I wasn't going to sync it at all, and  
> then
> let OpenLDAP keep the database in sync.
> Is all the KDC's need from each other stored in that ldap backend, or
> will there be stuff missing?
> Cheers,
> -- Scott

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu