LDAP is the only builtin KDC backend that supports multi-master KDCs at all. (I don't know whether there are any public out-of-tree backends that do so.)
So, while you could use the LDAP backend with a single LDAP master and multiple KDC masters, that master LDAP server would be a SPOF. -Ben On Sat, Feb 02, 2019 at 01:45:44PM -0500, Yegui Cai wrote: > Would it be possible to not leverage ldap for multiple-master deployment? > > On Sat, Feb 2, 2019 at 1:14 PM Benjamin Kaduk <ka...@mit.edu> wrote: > > > Most of the instances I've heard about that use multi-master KDCs also use > > multi-master LDAP replication, to avoid the SPOF. > > > > -Ben > > > > On Sat, Feb 02, 2019 at 11:12:33AM -0500, Yegui Cai wrote: > > > Hi Thor. > > > So you have a shared ldap? If so, could that ldap be a single point of > > > failure? > > > > > > Thanks, > > > Yegui > > > > > > On Sat, Feb 2, 2019 at 11:10 AM t Seeger <tseeger...@gmail.com> wrote: > > > > > > > Hey Yegui, > > > > > > > > I use a mutli master setup. For the sync I use openldap. > > > > > > > > Greeting Thor > > > > > > > > On 2. Feb 2019, at 15:38, Yegui Cai <caiye...@gmail.com> wrote: > > > > > > > > Hi all. > > > > I know the official document recommend master-slave deployment for > > > > production environment. > > > > Wonder if any try to do a master-master deployment? If yes, how could > > you > > > > sync between two masters? > > > > Thanks, > > > > Yegui > > > > > > > > ________________________________________________ > > > > Kerberos mailing list Kerberos@mit.edu > > > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > > > > > > > > ________________________________________________ > > > Kerberos mailing list Kerberos@mit.edu > > > https://mailman.mit.edu/mailman/listinfo/kerberos > > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos