[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Two Heimdal KDC's with openldap backend

To: heimdal-discuss@sics.se, Scott Grizzard <scott@scottgrizzard.com>
Subject: Re: Two Heimdal KDC's with openldap backend
From: Love Hörnquist Åstrand <lha@kth.se>
Date: Thu, 1 May 2008 10:02:50 +0200
Cc: "Henry B. Hotz" <hotz@jpl.nasa.gov>
In-Reply-To: <48192C2C.3000401@scottgrizzard.com>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <48190AD8.6000609@scottgrizzard.com> <C973B4E9-879F-4E0E-BBC2-B65691E02924@jpl.nasa.gov> <48192C2C.3000401@scottgrizzard.com>
Reply-To: heimdal-discuss@sics.se, Love Hörnquist Åstrand <lha@kth.se>

Hello Scott,

If you use the ldap backend, just ldap replication instead of iprop/ 
hprop since that will propagate stuff like samba attributes too (and  
all other ldap stuff).

Love


1 maj 2008 kl. 04.34 skrev Scott Grizzard:

> smbk5pwd is the openldap module that syncs passwords between samba,
> openldap, and heimdal.  It is the coolest thing since ... well, it's  
> way
> cooler than sliced bread.
>
> As long as iprop doesn't replicate anything that ISN'T stored in the
> LDAP database, then LDAP replication should do the trick and I don't
> have to worry about it.
>
> I guess my question is: does iprop replicate anything that isn't  
> stored
> in the ldap database?
>
> - scott
>
> Henry B. Hotz wrote:
>> I'm used to doing that with Heimdal's iprop daemons.  They work well
>> if properly watched and restarted (though that should be much better
>> in current versions).
>>
>> For an LDAP back end, I would think that any full-up LDAP replication
>> system would be sufficient.  LDAP is just some arbitrary (slower)
>> database to Heimdal.  I don't know what's special about "smb5pwd".
>>
>> On Apr 30, 2008, at 5:12 PM, Scott Grizzard wrote:
>>
>>> I have the following setup:
>>>
>>> KDC with OpenLDAP backend
>>> Samba with same OpenLDAP backend
>>> Password Syncing through smbk5pwd
>>>
>>> I want to add a second server to the network for high availability  
>>> and
>>> faster auths for a distant portion of the network.
>>>
>>> Can I set up the second server as:
>>> KDC with OpenLDAP backend
>>> Samba BackupDomain Contoller with OpenLDAP
>>> Password Syncing through smbk5pwd
>>>
>>> I want to setup OpenLDAP in multi-master mode.  If I do this  
>>> though, I
>>> have a problem because heimdal will attempt to sync passwords  
>>> across the
>>> kdc's using its system, and openldap will also try to sync using the
>>> multi-master replication.
>>>
>>> Can I just turn off heimdal's syncing (not even install it), just
>>> install the second KDC as if I wasn't going to sync it at all, and  
>>> then
>>> let OpenLDAP keep the database in sync.
>>>
>>> Is all the KDC's need from each other stored in that ldap backend,  
>>> or
>>> will there be stuff missing?
>>>
>>> Cheers,
>>>
>>> -- Scott
>>
>> ------------------------------------------------------
>> The opinions expressed in this message are mine,
>> not those of Caltech, JPL, NASA, or the US Government.
>> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
>>
>>
>>
>>
>

References:
- Two Heimdal KDC's with openldap backend
  - From: Scott Grizzard <scott@scottgrizzard.com>
- Re: Two Heimdal KDC's with openldap backend
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Re: Two Heimdal KDC's with openldap backend
  - From: Scott Grizzard <scott@scottgrizzard.com>

Prev by Date: Re: heimdal 1.2rc2
Next by Date: mod_auth_kerb and heimdal: is there a way to remove the @MY.RELMfrom the end of a user name when the user is authenticated?
Prev by thread: Re: Two Heimdal KDC's with openldap backend
Next by thread: Re: heimdal 1.2rc2
Index(es):
- Date
- Thread