Master-master deployment?

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Master-master deployment?

Yegui Cai
Hi all.
I know the official document recommend master-slave deployment for
production environment.
Wonder if any try to do a master-master deployment? If yes, how could you
sync between two masters?
Thanks,
Yegui
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Master-master deployment?

t Seeger
Hey Yegui,

I use a mutli master setup. For the sync I use openldap.

Greeting Thor

> On 2. Feb 2019, at 15:38, Yegui Cai <[hidden email]> wrote:
>
> Hi all.
> I know the official document recommend master-slave deployment for
> production environment.
> Wonder if any try to do a master-master deployment? If yes, how could you
> sync between two masters?
> Thanks,
> Yegui
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Master-master deployment?

Yegui Cai
Hi Thor.
So you have a shared ldap? If so, could that ldap be a single point of
failure?

Thanks,
Yegui

On Sat, Feb 2, 2019 at 11:10 AM t Seeger <[hidden email]> wrote:

> Hey Yegui,
>
> I use a mutli master setup. For the sync I use openldap.
>
> Greeting Thor
>
> On 2. Feb 2019, at 15:38, Yegui Cai <[hidden email]> wrote:
>
> Hi all.
> I know the official document recommend master-slave deployment for
> production environment.
> Wonder if any try to do a master-master deployment? If yes, how could you
> sync between two masters?
> Thanks,
> Yegui
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Master-master deployment?

Benjamin Kaduk-2
Most of the instances I've heard about that use multi-master KDCs also use
multi-master LDAP replication, to avoid the SPOF.

-Ben

On Sat, Feb 02, 2019 at 11:12:33AM -0500, Yegui Cai wrote:

> Hi Thor.
> So you have a shared ldap? If so, could that ldap be a single point of
> failure?
>
> Thanks,
> Yegui
>
> On Sat, Feb 2, 2019 at 11:10 AM t Seeger <[hidden email]> wrote:
>
> > Hey Yegui,
> >
> > I use a mutli master setup. For the sync I use openldap.
> >
> > Greeting Thor
> >
> > On 2. Feb 2019, at 15:38, Yegui Cai <[hidden email]> wrote:
> >
> > Hi all.
> > I know the official document recommend master-slave deployment for
> > production environment.
> > Wonder if any try to do a master-master deployment? If yes, how could you
> > sync between two masters?
> > Thanks,
> > Yegui
> >
> > ________________________________________________
> > Kerberos mailing list           [hidden email]
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> >
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Master-master deployment?

Yegui Cai
Would it be possible to not leverage ldap for multiple-master deployment?

On Sat, Feb 2, 2019 at 1:14 PM Benjamin Kaduk <[hidden email]> wrote:

> Most of the instances I've heard about that use multi-master KDCs also use
> multi-master LDAP replication, to avoid the SPOF.
>
> -Ben
>
> On Sat, Feb 02, 2019 at 11:12:33AM -0500, Yegui Cai wrote:
> > Hi Thor.
> > So you have a shared ldap? If so, could that ldap be a single point of
> > failure?
> >
> > Thanks,
> > Yegui
> >
> > On Sat, Feb 2, 2019 at 11:10 AM t Seeger <[hidden email]> wrote:
> >
> > > Hey Yegui,
> > >
> > > I use a mutli master setup. For the sync I use openldap.
> > >
> > > Greeting Thor
> > >
> > > On 2. Feb 2019, at 15:38, Yegui Cai <[hidden email]> wrote:
> > >
> > > Hi all.
> > > I know the official document recommend master-slave deployment for
> > > production environment.
> > > Wonder if any try to do a master-master deployment? If yes, how could
> you
> > > sync between two masters?
> > > Thanks,
> > > Yegui
> > >
> > > ________________________________________________
> > > Kerberos mailing list           [hidden email]
> > > https://mailman.mit.edu/mailman/listinfo/kerberos
> > >
> > >
> > ________________________________________________
> > Kerberos mailing list           [hidden email]
> > https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Master-master deployment?

Benjamin Kaduk-2
LDAP is the only builtin KDC backend that supports multi-master KDCs at
all.  (I don't know whether there are any public out-of-tree backends that
do so.)

So, while you could use the LDAP backend with a single LDAP master and
multiple KDC masters, that master LDAP server would be a SPOF.

-Ben

On Sat, Feb 02, 2019 at 01:45:44PM -0500, Yegui Cai wrote:

> Would it be possible to not leverage ldap for multiple-master deployment?
>
> On Sat, Feb 2, 2019 at 1:14 PM Benjamin Kaduk <[hidden email]> wrote:
>
> > Most of the instances I've heard about that use multi-master KDCs also use
> > multi-master LDAP replication, to avoid the SPOF.
> >
> > -Ben
> >
> > On Sat, Feb 02, 2019 at 11:12:33AM -0500, Yegui Cai wrote:
> > > Hi Thor.
> > > So you have a shared ldap? If so, could that ldap be a single point of
> > > failure?
> > >
> > > Thanks,
> > > Yegui
> > >
> > > On Sat, Feb 2, 2019 at 11:10 AM t Seeger <[hidden email]> wrote:
> > >
> > > > Hey Yegui,
> > > >
> > > > I use a mutli master setup. For the sync I use openldap.
> > > >
> > > > Greeting Thor
> > > >
> > > > On 2. Feb 2019, at 15:38, Yegui Cai <[hidden email]> wrote:
> > > >
> > > > Hi all.
> > > > I know the official document recommend master-slave deployment for
> > > > production environment.
> > > > Wonder if any try to do a master-master deployment? If yes, how could
> > you
> > > > sync between two masters?
> > > > Thanks,
> > > > Yegui
> > > >
> > > > ________________________________________________
> > > > Kerberos mailing list           [hidden email]
> > > > https://mailman.mit.edu/mailman/listinfo/kerberos
> > > >
> > > >
> > > ________________________________________________
> > > Kerberos mailing list           [hidden email]
> > > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Master-master deployment?

t Seeger
Hey,

my deployment is a multimaster ldap / Kerberos Setup... i made a „Script“ to install it on Debian/ubuntu. You can have it if you want... it is for testing.


Thor

Sent from my iPhone

> On 2. Feb 2019, at 19:48, Benjamin Kaduk <[hidden email]> wrote:
>
> LDAP is the only builtin KDC backend that supports multi-master KDCs at
> all.  (I don't know whether there are any public out-of-tree backends that
> do so.)
>
> So, while you could use the LDAP backend with a single LDAP master and
> multiple KDC masters, that master LDAP server would be a SPOF.
>
> -Ben
>
>> On Sat, Feb 02, 2019 at 01:45:44PM -0500, Yegui Cai wrote:
>> Would it be possible to not leverage ldap for multiple-master deployment?
>>
>>> On Sat, Feb 2, 2019 at 1:14 PM Benjamin Kaduk <[hidden email]> wrote:
>>>
>>> Most of the instances I've heard about that use multi-master KDCs also use
>>> multi-master LDAP replication, to avoid the SPOF.
>>>
>>> -Ben
>>>
>>>> On Sat, Feb 02, 2019 at 11:12:33AM -0500, Yegui Cai wrote:
>>>> Hi Thor.
>>>> So you have a shared ldap? If so, could that ldap be a single point of
>>>> failure?
>>>>
>>>> Thanks,
>>>> Yegui
>>>>
>>>>> On Sat, Feb 2, 2019 at 11:10 AM t Seeger <[hidden email]> wrote:
>>>>>
>>>>> Hey Yegui,
>>>>>
>>>>> I use a mutli master setup. For the sync I use openldap.
>>>>>
>>>>> Greeting Thor
>>>>>
>>>>> On 2. Feb 2019, at 15:38, Yegui Cai <[hidden email]> wrote:
>>>>>
>>>>> Hi all.
>>>>> I know the official document recommend master-slave deployment for
>>>>> production environment.
>>>>> Wonder if any try to do a master-master deployment? If yes, how could
>>> you
>>>>> sync between two masters?
>>>>> Thanks,
>>>>> Yegui
>>>>>
>>>>> ________________________________________________
>>>>> Kerberos mailing list           [hidden email]
>>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>>
>>>>>
>>>> ________________________________________________
>>>> Kerberos mailing list           [hidden email]
>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Master-master deployment?

Robbie Harwood
In reply to this post by Benjamin Kaduk-2
Benjamin Kaduk <[hidden email]> writes:

> LDAP is the only builtin KDC backend that supports multi-master KDCs at
> all.  (I don't know whether there are any public out-of-tree backends that
> do so.)

freeIPA also supports multi-master, but freeIPA also deploys more than
just a KDC and LDAP.

Thanks,
--Robbie

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos

signature.asc (847 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Master-master deployment?

t Seeger
In reply to this post by t Seeger
Hey Yegui,

You can find the script here https://wp.tntnet.eu/?p=112
There is a very short instruction too. Keep in mind that I m not a ldap or Kerberos expert. ^^

Thor

> On 6. Feb 2019, at 03:37, Yegui Cai <[hidden email]> wrote:
>
> Hi Thor
> Sure. Can I have a copy of it. I am still pretty new to Kerberos. Your script is definitely helpful.
> Thanks a lot!
> Yegui
>
>> On Sat, Feb 2, 2019 at 1:55 PM t Seeger <[hidden email]> wrote:
>> Hey,
>>
>> my deployment is a multimaster ldap / Kerberos Setup... i made a „Script“ to install it on Debian/ubuntu. You can have it if you want... it is for testing.
>>
>>
>> Thor
>>
>> Sent from my iPhone
>>
>> > On 2. Feb 2019, at 19:48, Benjamin Kaduk <[hidden email]> wrote:
>> >
>> > LDAP is the only builtin KDC backend that supports multi-master KDCs at
>> > all.  (I don't know whether there are any public out-of-tree backends that
>> > do so.)
>> >
>> > So, while you could use the LDAP backend with a single LDAP master and
>> > multiple KDC masters, that master LDAP server would be a SPOF.
>> >
>> > -Ben
>> >
>> >> On Sat, Feb 02, 2019 at 01:45:44PM -0500, Yegui Cai wrote:
>> >> Would it be possible to not leverage ldap for multiple-master deployment?
>> >>
>> >>> On Sat, Feb 2, 2019 at 1:14 PM Benjamin Kaduk <[hidden email]> wrote:
>> >>>
>> >>> Most of the instances I've heard about that use multi-master KDCs also use
>> >>> multi-master LDAP replication, to avoid the SPOF.
>> >>>
>> >>> -Ben
>> >>>
>> >>>> On Sat, Feb 02, 2019 at 11:12:33AM -0500, Yegui Cai wrote:
>> >>>> Hi Thor.
>> >>>> So you have a shared ldap? If so, could that ldap be a single point of
>> >>>> failure?
>> >>>>
>> >>>> Thanks,
>> >>>> Yegui
>> >>>>
>> >>>>> On Sat, Feb 2, 2019 at 11:10 AM t Seeger <[hidden email]> wrote:
>> >>>>>
>> >>>>> Hey Yegui,
>> >>>>>
>> >>>>> I use a mutli master setup. For the sync I use openldap.
>> >>>>>
>> >>>>> Greeting Thor
>> >>>>>
>> >>>>> On 2. Feb 2019, at 15:38, Yegui Cai <[hidden email]> wrote:
>> >>>>>
>> >>>>> Hi all.
>> >>>>> I know the official document recommend master-slave deployment for
>> >>>>> production environment.
>> >>>>> Wonder if any try to do a master-master deployment? If yes, how could
>> >>> you
>> >>>>> sync between two masters?
>> >>>>> Thanks,
>> >>>>> Yegui
>> >>>>>
>> >>>>> ________________________________________________
>> >>>>> Kerberos mailing list           [hidden email]
>> >>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>> >>>>>
>> >>>>>
>> >>>> ________________________________________________
>> >>>> Kerberos mailing list           [hidden email]
>> >>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>> >>>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Master-master deployment?

Yegui Cai
Awesome, thanks!

On Wed, Feb 6, 2019 at 2:32 AM t Seeger <[hidden email]> wrote:

> Hey Yegui,
>
> You can find the script here https://wp.tntnet.eu/?p=112
> There is a very short instruction too. Keep in mind that I m not a ldap or
> Kerberos expert. ^^
>
> Thor
>
> On 6. Feb 2019, at 03:37, Yegui Cai <[hidden email]> wrote:
>
> Hi Thor
> Sure. Can I have a copy of it. I am still pretty new to Kerberos. Your
> script is definitely helpful.
> Thanks a lot!
> Yegui
>
> On Sat, Feb 2, 2019 at 1:55 PM t Seeger <[hidden email]> wrote:
>
>> Hey,
>>
>> my deployment is a multimaster ldap / Kerberos Setup... i made a „Script“
>> to install it on Debian/ubuntu. You can have it if you want... it is for
>> testing.
>>
>>
>> Thor
>>
>> Sent from my iPhone
>>
>> > On 2. Feb 2019, at 19:48, Benjamin Kaduk <[hidden email]> wrote:
>> >
>> > LDAP is the only builtin KDC backend that supports multi-master KDCs at
>> > all.  (I don't know whether there are any public out-of-tree backends
>> that
>> > do so.)
>> >
>> > So, while you could use the LDAP backend with a single LDAP master and
>> > multiple KDC masters, that master LDAP server would be a SPOF.
>> >
>> > -Ben
>> >
>> >> On Sat, Feb 02, 2019 at 01:45:44PM -0500, Yegui Cai wrote:
>> >> Would it be possible to not leverage ldap for multiple-master
>> deployment?
>> >>
>> >>> On Sat, Feb 2, 2019 at 1:14 PM Benjamin Kaduk <[hidden email]> wrote:
>> >>>
>> >>> Most of the instances I've heard about that use multi-master KDCs
>> also use
>> >>> multi-master LDAP replication, to avoid the SPOF.
>> >>>
>> >>> -Ben
>> >>>
>> >>>> On Sat, Feb 02, 2019 at 11:12:33AM -0500, Yegui Cai wrote:
>> >>>> Hi Thor.
>> >>>> So you have a shared ldap? If so, could that ldap be a single point
>> of
>> >>>> failure?
>> >>>>
>> >>>> Thanks,
>> >>>> Yegui
>> >>>>
>> >>>>> On Sat, Feb 2, 2019 at 11:10 AM t Seeger <[hidden email]>
>> wrote:
>> >>>>>
>> >>>>> Hey Yegui,
>> >>>>>
>> >>>>> I use a mutli master setup. For the sync I use openldap.
>> >>>>>
>> >>>>> Greeting Thor
>> >>>>>
>> >>>>> On 2. Feb 2019, at 15:38, Yegui Cai <[hidden email]> wrote:
>> >>>>>
>> >>>>> Hi all.
>> >>>>> I know the official document recommend master-slave deployment for
>> >>>>> production environment.
>> >>>>> Wonder if any try to do a master-master deployment? If yes, how
>> could
>> >>> you
>> >>>>> sync between two masters?
>> >>>>> Thanks,
>> >>>>> Yegui
>> >>>>>
>> >>>>> ________________________________________________
>> >>>>> Kerberos mailing list           [hidden email]
>> >>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>> >>>>>
>> >>>>>
>> >>>> ________________________________________________
>> >>>> Kerberos mailing list           [hidden email]
>> >>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>> >>>
>>
>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Master-master deployment?

t Seeger
Hey Yegui,

I have just noticed that the script has a bug and does not run. I uploaded the corrected version (0.13.3).

Greetings
Thor

> On 6. Feb 2019, at 13:56, Yegui Cai <[hidden email]> wrote:
>
> Awesome, thanks!
>
>> On Wed, Feb 6, 2019 at 2:32 AM t Seeger <[hidden email]> wrote:
>> Hey Yegui,
>>
>> You can find the script here https://wp.tntnet.eu/?p=112
>> There is a very short instruction too. Keep in mind that I m not a ldap or Kerberos expert. ^^
>>
>> Thor
>>
>>> On 6. Feb 2019, at 03:37, Yegui Cai <[hidden email]> wrote:
>>>
>>> Hi Thor
>>> Sure. Can I have a copy of it. I am still pretty new to Kerberos. Your script is definitely helpful.
>>> Thanks a lot!
>>> Yegui
>>>
>>>> On Sat, Feb 2, 2019 at 1:55 PM t Seeger <[hidden email]> wrote:
>>>> Hey,
>>>>
>>>> my deployment is a multimaster ldap / Kerberos Setup... i made a „Script“ to install it on Debian/ubuntu. You can have it if you want... it is for testing.
>>>>
>>>>
>>>> Thor
>>>>
>>>> Sent from my iPhone
>>>>
>>>> > On 2. Feb 2019, at 19:48, Benjamin Kaduk <[hidden email]> wrote:
>>>> >
>>>> > LDAP is the only builtin KDC backend that supports multi-master KDCs at
>>>> > all.  (I don't know whether there are any public out-of-tree backends that
>>>> > do so.)
>>>> >
>>>> > So, while you could use the LDAP backend with a single LDAP master and
>>>> > multiple KDC masters, that master LDAP server would be a SPOF.
>>>> >
>>>> > -Ben
>>>> >
>>>> >> On Sat, Feb 02, 2019 at 01:45:44PM -0500, Yegui Cai wrote:
>>>> >> Would it be possible to not leverage ldap for multiple-master deployment?
>>>> >>
>>>> >>> On Sat, Feb 2, 2019 at 1:14 PM Benjamin Kaduk <[hidden email]> wrote:
>>>> >>>
>>>> >>> Most of the instances I've heard about that use multi-master KDCs also use
>>>> >>> multi-master LDAP replication, to avoid the SPOF.
>>>> >>>
>>>> >>> -Ben
>>>> >>>
>>>> >>>> On Sat, Feb 02, 2019 at 11:12:33AM -0500, Yegui Cai wrote:
>>>> >>>> Hi Thor.
>>>> >>>> So you have a shared ldap? If so, could that ldap be a single point of
>>>> >>>> failure?
>>>> >>>>
>>>> >>>> Thanks,
>>>> >>>> Yegui
>>>> >>>>
>>>> >>>>> On Sat, Feb 2, 2019 at 11:10 AM t Seeger <[hidden email]> wrote:
>>>> >>>>>
>>>> >>>>> Hey Yegui,
>>>> >>>>>
>>>> >>>>> I use a mutli master setup. For the sync I use openldap.
>>>> >>>>>
>>>> >>>>> Greeting Thor
>>>> >>>>>
>>>> >>>>> On 2. Feb 2019, at 15:38, Yegui Cai <[hidden email]> wrote:
>>>> >>>>>
>>>> >>>>> Hi all.
>>>> >>>>> I know the official document recommend master-slave deployment for
>>>> >>>>> production environment.
>>>> >>>>> Wonder if any try to do a master-master deployment? If yes, how could
>>>> >>> you
>>>> >>>>> sync between two masters?
>>>> >>>>> Thanks,
>>>> >>>>> Yegui
>>>> >>>>>
>>>> >>>>> ________________________________________________
>>>> >>>>> Kerberos mailing list           [hidden email]
>>>> >>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>> >>>>>
>>>> >>>>>
>>>> >>>> ________________________________________________
>>>> >>>> Kerberos mailing list           [hidden email]
>>>> >>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>> >>>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos