[krbdev.mit.edu #8027] Client RPC timeout during kadmin listprincs command
Tsu-Phong Wu via RT
rt-comment at krbdev.mit.edu
Thu Oct 23 15:13:25 EDT 2014
Thanks for the reply.
Our current version is 1.8.6 (and an older version 1.4 something) and apparently we'll have issues there.
Is there a bug# on this LDAP KDB performance and do you happen to know how big the effort is to port it to pre-1.9?
Thanks.
Tsu-Phong
----- Original Message -----
From: rt-comment at krbdev.mit.edu
Sent: Tuesday, October 21, 2014 11:44:54 AM GMT -08:00 US/Canada Pacific
Subject: [krbdev.mit.edu #8027] Client RPC timeout during kadmin listprincs command
Before we commit to changing the default or making it configurable, I would
like to know what version of Kerberos is being used on the back end. Prior
to release 1.9, the LDAP KDB module takes O(N^2) time to iterate over N
principals due to a combination of questionable design features. It is
possible that retrieving even a hundred thousand principal names could be
done in less than 120 seconds without this bug.
If we do need to make a change, I would suggest using a very long timeout
or (if possible) disable the timeout entirely. Since kadmin runs over TCP,
there isn't really a strong need to time out if kadmind takes a long time
to respond.
_______________________________________________
krb5-bugs mailing list
krb5-bugs at mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
More information about the krb5-bugs
mailing list