Kerberos behind load balancer?
Tillman Hodgson
tillman at seekingfire.com
Wed Oct 6 12:46:49 EDT 2004
On Wed, Oct 06, 2004 at 09:59:06AM -0400, Ken Hornstein wrote:
> And let me echo the comments of others: we've run our Kerberos servers on
> the oldest, crappiest hardware we've had kicking around the dustbin (we
> upgrade it occasionally, but it's always to the latest "crappiest" system
> we've got laying around). I seriously doubt you're going to need a load
> balancer. And if you don't need it, I can't see it causing you anything
> but trouble in the long run.
I can echo that sentiment as well. When I first starting looking into
Kerberos I was concerned about client load on the KDC.
This post (from 1993) put my fears to rest:
http://groups.google.ca/groups?hl=en&lr=&th=f5ea1615382bdfcc&rnum=2
I can indeed confirm that a DECStation 5000/25 (with a 25MHz MIPS R3000
CPU and a 10MBit AUI ethernet port) can handle whatever I could throw at
it, including authentication for a website (via apache mod_auth_kerb)
that did not cache tickets, without showing any real load that I could
measure. It was _idling_.
I'm now running it on a SparcStation 10, simply because I don't have the
DECStation any more and the old Sun box is the oldest crappiest hardware
I have left where I still trust the hard drive (a relatively modern
Seagate replacement, in this case).
Older RISC hardware also tends to have real serial consoles, which is
Good Thing on a KDC that doesn't allow network logins :-)
If I /was/ going to load balance a KDC in some form, I'd do it not to
shift load as in CPU-load but rather to optimize latency for wide-area
links. Anycast would be the method I'd use.
-T
--
"If you already know what recursion is, just remember the answer.
Otherwise, find someone who is standing closer to Douglas Hofstadter
than you are; then ask him or her what recursion is."
-- Andrew "Zarf" Plotkin
More information about the Kerberos
mailing list