We'd like to deploy Kerberos it on our network. We already have a working Kerberos setup in our Lab which has a Master Heimdal Kerberos server with an OpenLDAP backend and a Slave Heimdal Kerberos server which also uses an OpenLDAP backend. We synchronize the Slave with the OpenLDAP Replication. Everything works great.
Before we go live into production, we're looking for information on how to build the Kerberos infrastrucure (i.e. In which network DMZ do I install the KDC? Where should we install the slave Kerberos servers? Can we run a "hidden" KDC, much like a hidden Primary DNS server? How would that affect users who want to change their passwords? etc).
Unfortunately, we didn't find a lot of documentation which talks specifically about Kerberos architecture. That's why we're looking for experienced Kerberos users to help us deploy a good Kerberos infrastructure.
Our goals are to create a Hidden Master Kerberos and several Slaves. We plan to use the Kerberos/OpenLDAP services for authentication via SSH, OpenAFS, autofs maps, sudo rights plus users and groups. The Kerberos architecture has to support two different data centers. Both sites have serveral DMZ networks (WWW, Application and Database for the classic three tiered environment plus le local LAN). We'd like to use Kerberos to login on all of these networks. One slave in the LAN to support workstations and LAN servers. Other two slaves in a DMZ (which one?) for DMZ Servers support and as Workstation backup support. We need to have redundancy of course.
I've created an image of the architecture I just described which you can see at http://www.zerocatastrophe.com/kerberos-architecture.png This architecture is by no means final. Suggestions are welcomed!
Please let me know what you think? I will post a summary once the architecture is final.
UNIX systems administrator