Re: scalability of heimdal replication

["Henry B. Hotz" <hotz@jpl.nasa.gov>]

At 8:25 AM +0100 3/18/04, Johan Danielsson wrote:
>Andreas <andreas@conectiva.com.br> writes:
>
>>  These remote sites need to be able to authenticate everyone,
>>  including people from the other sites. I guess establishing
>>  cross-realm authentication in this scenario would be too much, so I
>>  figured having only a single realm and using replication.
>
>But the clients can't talk to a "central" kdc?
>
>/Johan

300 slaves is a requirement that needs a bit of explaining.  Clients 
don't talk a lot to KDC's so a low-bandwidth connection should be 
fine as long as it's reliable.  If you really have 300 locations that 
may have to operate autonomously for a while (not even talk to each 
other) then maybe you have a case.

Normally you only have around 3 KDC's total, not 300.

IF (and I say IF!) you need 300 then I would suggest you craft a 
fan-out and drive some slaves from other slaves.

time 0	master	-> s1
time 1	master	-> s2	s1 -> s3
time 2	master	-> s4	s1 -> s5	s2 -> s6	s3 -> s7
time 3	master	-> s8	s1 -> s9	s2 -> s10	s3 -> s11 
	s4 -> s12 etc...

Looks pretty tedious to set up, and if s1 fails then half your slaves 
don't get updated. So there are reliability issues to address.  If s1 
- s3 are reliable enough to justify their place in this hierarchy 
then aren't they reliable enough for the clients to just talk to them 
directly?

So.  To answer the original question: yes you can do that.  But it's 
probably a bad idea.
-- 
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu