[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Two Heimdal KDC's with openldap backend

To: heimdal-discuss@sics.se, Scott Grizzard <scott@scottgrizzard.com>
Subject: Re: Two Heimdal KDC's with openldap backend
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Wed, 30 Apr 2008 19:28:59 -0700
In-Reply-To: <48190AD8.6000609@scottgrizzard.com>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <48190AD8.6000609@scottgrizzard.com>
Reply-To: heimdal-discuss@sics.se, "Henry B. Hotz" <hotz@jpl.nasa.gov>

I'm used to doing that with Heimdal's iprop daemons.  They work well  
if properly watched and restarted (though that should be much better  
in current versions).

For an LDAP back end, I would think that any full-up LDAP replication  
system would be sufficient.  LDAP is just some arbitrary (slower)  
database to Heimdal.  I don't know what's special about "smb5pwd".

On Apr 30, 2008, at 5:12 PM, Scott Grizzard wrote:

> I have the following setup:
>
> KDC with OpenLDAP backend
> Samba with same OpenLDAP backend
> Password Syncing through smbk5pwd
>
> I want to add a second server to the network for high availability and
> faster auths for a distant portion of the network.
>
> Can I set up the second server as:
> KDC with OpenLDAP backend
> Samba BackupDomain Contoller with OpenLDAP
> Password Syncing through smbk5pwd
>
> I want to setup OpenLDAP in multi-master mode.  If I do this though, I
> have a problem because heimdal will attempt to sync passwords across  
> the
> kdc's using its system, and openldap will also try to sync using the
> multi-master replication.
>
> Can I just turn off heimdal's syncing (not even install it), just
> install the second KDC as if I wasn't going to sync it at all, and  
> then
> let OpenLDAP keep the database in sync.
>
> Is all the KDC's need from each other stored in that ldap backend, or
> will there be stuff missing?
>
> Cheers,
>
> -- Scott

------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

Follow-Ups:
- Re: Two Heimdal KDC's with openldap backend
  - From: Scott Grizzard <scott@scottgrizzard.com>

References:
- Two Heimdal KDC's with openldap backend
  - From: Scott Grizzard <scott@scottgrizzard.com>

Prev by Date: Re: heimdal 1.2rc2
Next by Date: Re: Two Heimdal KDC's with openldap backend
Prev by thread: Two Heimdal KDC's with openldap backend
Next by thread: Re: Two Heimdal KDC's with openldap backend
Index(es):
- Date
- Thread