multiple KDCs and kadmin's talking to the same LDAP instance, is this okay?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

multiple KDCs and kadmin's talking to the same LDAP instance, is this okay?

Chris Hecker
I'm moving all the stuff running on a server so I can update it a couple
major versions so it needs a full wipe, and I'm in that awkward
transition phase right now.  I have LDAP running on a different machine
now, with an ssh tunnel open between the two (the LDAP server ports
aren't exposed publicly), and some /etc/hosts file chicanery to get the
services that want to talk to LDAP on the old server talking to the new
server.  Obviously krb5kdc and kadmin are the two ones relevant here,
although I have two other apps (one in C and one in perl) that talk to
both LDAP and libkadm5 so they're also doing the ssh tunnel thing.

Anyway, for moving the KDC et al., I need to wait for a DNS propagate
for the server name all my clients in the wild use, so I'm just going to
have both machines running the KDC and kadmin, the old machine running
them to the LDAP backend over the ssh tunnel, and the new machine
talking to LDAP directly.  There's no problem with having these two KDCs
hitting the same LDAP server at the same time, right?  It seems like the
normal way to scale kerberos with LDAP is to have LDAP replicate to each
KDC machine, which seems like it'd be basically the same thing assuming
instant replication speed. It seems like this would be strictly better
than that at least? Anything I should be worried about?

Chris

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: multiple KDCs and kadmin's talking to the same LDAP instance, is this okay?

Greg Hudson
On 07/23/2018 11:39 PM, Chris Hecker wrote:
> There's no problem with having these two KDCs
> hitting the same LDAP server at the same time, right?

Yes, that should work fine.  Please use [hidden email] for operational
questions like this.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev