I haven¹t seen this idea posted anywhere. The new version of OpenLDAP (I¹m using 2.4.15) has the ability to run in a multi-master mode. I was able to set up two servers that each ran a Kerberos instance as well as an OpenLDAP instance that had ldap and kerberos failover. I now don¹t need to worry about doing any sync with Kerberos, as LDAP does it all. I can also run kadmin against either of the kerberos servers. Some tests I did that were pretty successful were:
Realm setup: kdc = kdc01.security.lab.comcast.net:88 kdc = kdc02.security.lab.comcast.net:88 Turn off kdc on kdc01 -> successfully authenticated with kdc02 Turn on kdc but turn off ldap on kdc01 -> successfully authenticated with kdc02 The failover works exactly as a expected. -- MAT ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
