> Yes, that's exactly right. At least, in theory; I haven't tried it. > Using the LDAP back end -- ah, as I see Nico was just saying -- will > get you a common database shared across the KDCs, and leaves the > replication mechanism, if any, to the LDAP administrator. > > Building something on Ubik might be a possibility. I'm not that > familiar with it beyond "oh, that thing in AFS", but if it meets the > performance requirements for a KDC, yes, it could work.
Well, ubik wouldn't exactly be my first choice, I just threw it out as a possibly-known technology in the KDC replication protocol space. Ubik is an elected-master protocol. All updates go to the master which replicates. If the master goes away, after a while the remaining nodes notice and revote a new master (this can take a while). I'm not sure that model works well with the KDC's single-threadedness. I expect a 3-phase commit model would be more robust. John ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
