Kerberos Database Size
Ken Raeburn
raeburn at MIT.EDU
Thu Jan 20 15:30:22 EST 2005
On Jan 20, 2005, at 13:36, Steve Edgar wrote:
> Does anyone know how large a Kerberos database on a single KDC can get
> before performance becomes an issue? For example, would a Kerberos
> database be able to handle 750,000 principals? 1,000,000 principals?
> Hardware is a major factor, but assuming the KDC is on a "relatively
> fast" hardware configuration, are there any other limiting factors?
I would think in most cases the the transaction rate would be a lot
more interesting than the database size. Two
extreme-to-the-point-of-absurdity cases: A database with 10**6
principals should be just fine if you have less than one request per
second, but a KDC may not be able to handle 10**6 transactions per
second no matter how small the database is. Of course, for transaction
rates in between, the database size *and structure* will affect the
cost of looking up any one given database entry. If that gets to be a
problem, one could tweak the software a bit (in the open source
implementations) to gain some speedups, like caching the data for the
TGT and a few popular services, and maybe the last N client principals;
cache key schedules for certain keys; stuff like that.
All that hand-waving aside, I'd be curious to see numbers (db size and
transaction rates) for various sites, especially any sites that have
found KDC performance to be a problem. (And especially if it's with
the MIT KDC code.)
More information about the Kerberos
mailing list