Hi,

I'd like to know what are the supported methods of usage if I have to
use two or more KDC instances with one LDAP directory. I can see a
couple of scenarios but I'm not really sure what is the supported way of
dealing with them. For example:

1) Two KDC servers, one LDAP server, same realm:
Since LDAP has no locking mechanism, would there be potential race
conditions? Is kpropd the correct way of doing this?

2) Two KDC servers, one LDAP server, separate realms:
I don't see why I couldn't have two KDC instances using the same LDAP
server, if they are not dealing with the same realm.

3) one KDC server, two mirror LDAP servers, same realm:
The way I see we would need LDAP synchronization between the LDAP
servers

4) two KDC servers, two mirror LDAP servers, same realm:
We should use kpropd + ldap synchronization?

5) two KDC servers, two mirror LDAP servers, separate realms:
same as (2)?


Thanks,

-Klaus

--
Klaus Heinrich Kiwi
Linux Security Development, IBM Linux Technology Center