Yubico Forum

We want to use YubiX with multiple servers ( with yubico cloud auth and local users database for now).

What the best approach to sync users between servers. So far I am thinking about simple mysql replication from master to slaves but I don't want to to complicate things if "more correct" way available.

Thank you.

I have the exact same problem.

I need to setup a couple redundant YubiX instances, with local auth. Obviously, maintaining the keys and users across several separate instances is not desirable. Master/master replication with MySQL might work (via a secure channel, like VPN), but which parts need to be replicated?

Also, there's ykval-queue. Which parts of the database are touched by it? Would master/master replication (configured indiscriminately) break ykval-queue?

Can I just master/master replicate the whole database, and just point the YubiX stack, on each server, at the local MySQL - effectively having a duplicated YubiX server? (same DB structure everywhere, etc.) Then ykval-queue would have to be turned off, right?

YubiX is a very interesting concept, but it's not that useful if there's no clear way to setup multiple redundant servers.

I only need a few pointers, what goes where (so to speak), and I'll try to figure out the rest myself. I'm willing to write a HOWTO and post it on the forum, if only someone could answer my questions above and get me started.

_________________
Florin Andrei
http://florin.myip.org/

The OTP validating parts can easily be distributed: KSMs need no synchronizing outside of having the YubiKey secrets placed on each of them, and the validation server (YK-KSM) has synchronization built in.

YubiAuth is not yet set up for distributed use, but should work with multiple instances using master/master replication and otherwise identical configuration. I would not recommend having multiple YK-VAL instances using replicated databases however, as this could possibly interfere with the built-in synchronization in unexpected ways.