| Yubico Forum https://forum.yubico.com/ |
|
| [QUESTION] sync between servers https://forum.yubico.com/viewtopic.php?f=31&t=1381 |
Page 1 of 1 |
| Author: | nvitaly [ Wed May 07, 2014 2:18 pm ] |
| Post subject: | [QUESTION] sync between servers |
We want to use YubiX with multiple servers ( with yubico cloud auth and local users database for now). What the best approach to sync users between servers. So far I am thinking about simple mysql replication from master to slaves but I don't want to to complicate things if "more correct" way available. Thank you. |
|
| Author: | FlorinAndrei [ Wed Sep 03, 2014 10:00 pm ] |
| Post subject: | Re: [QUESTION] sync between servers |
I have the exact same problem. I need to setup a couple redundant YubiX instances, with local auth. Obviously, maintaining the keys and users across several separate instances is not desirable. Master/master replication with MySQL might work (via a secure channel, like VPN), but which parts need to be replicated? Also, there's ykval-queue. Which parts of the database are touched by it? Would master/master replication (configured indiscriminately) break ykval-queue? Can I just master/master replicate the whole database, and just point the YubiX stack, on each server, at the local MySQL - effectively having a duplicated YubiX server? (same DB structure everywhere, etc.) Then ykval-queue would have to be turned off, right? YubiX is a very interesting concept, but it's not that useful if there's no clear way to setup multiple redundant servers. I only need a few pointers, what goes where (so to speak), and I'll try to figure out the rest myself. I'm willing to write a HOWTO and post it on the forum, if only someone could answer my questions above and get me started. |
|
| Author: | dain [ Fri Sep 05, 2014 11:02 pm ] |
| Post subject: | Re: [QUESTION] sync between servers |
The OTP validating parts can easily be distributed: KSMs need no synchronizing outside of having the YubiKey secrets placed on each of them, and the validation server (YK-KSM) has synchronization built in. YubiAuth is not yet set up for distributed use, but should work with multiple instances using master/master replication and otherwise identical configuration. I would not recommend having multiple YK-VAL instances using replicated databases however, as this could possibly interfere with the built-in synchronization in unexpected ways. |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|