So management wants to replicate our core authentication infrastructure into the cloud so if the campus is down people will still be able to access cloud services. The components in question consist of a shibboleth idp which avails of kerberos for authentication and LDAP for directory services/attributes.
Ideally, I would like on campus services to use the campus instances if they are available, and failover to the cloud instances if not. And correspondingly, I would like the cloud services to use the cloud instances if they are available, and campus ones if not. For LDAP the idp allows configuration of multiple directory servers, with failover. So I can easily configure the campus idp to hit campus ldap first, then failover to the cloud, and vice versa for the cloud idp. I'm trying to figure out how to handle kerberos. The question is also complicated in that the idp uses the java Kerberos client, which I don't think has feature parity with the MIT libraries in terms of kdc discovery. Using SRV or URI DNS records, it looks like I can configure some number of kdc's as primary, and other ones as secondary. However, this would cause both the campus and cloud instances to get the same one first, and the other one second. Potentially this could be worked around with separate DNS views, but I don't think that is going to be feasible for this deployment. I am also not sure if the java kerberos client understands SRV/URI records and properly splits them based on priority? In the krb5.conf file, you can specify kdc's statically, but there is no mechanism for prioritizing them or indicating which ones should be tried first. You can also specify one or more master_kdc's, but based on the documentation those are only accessed in the case of a password failure on one of the regular kdc entries? If, hypothetically, all of the regular kdc entries timeout, would the master_kdc entries still be used, or would the request simply fail at that point with an unreachable kdc error? Any other suggestions for achieving a separate primary/failover configuration for two different network locations in a fashion that would work properly with the Java kerberos client? Thanks much… ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
