ldap_conns_per_server = 5
Greg Hudson
ghudson at MIT.EDU
Mon Mar 8 17:50:00 EST 2010
On Mon, 2010-03-08 at 15:35 -0500, Kevin Longfellow wrote:
> Going through krb5.conf for a kdc that will be using ldap as the back
> end, the variable ldap_conns_per_server = 5 seems low. Consider a kdc
> for 30k+ users will this setting be ok? What does this variable
> really limit? Having no practical experience with a large deployment
> using ldap as the back end, this variable caught my eye and concerns
> me as to low for a very large number of users?
I believe that parameter doesn't actually do anything productive. It
controls the number of connections created when a realm is
initialized... but since the KDC code is single-threaded, it only winds
up using one connection at a time anyway.
As for whether 30K users might overburden a single-threaded KDC:
possibly, but if you have a reasonably fast LDAP server it might not
actually be a problem. You can have a large number of users and still
have a pretty light KDC load since users only need to get tickets when
they obtain initial credentials or get credentials for a new service.
We have an enhancement in mind (but not yet implemented) to help deal
with situations where KDC load is an issue. See
http://k5wiki.kerberos.org/wiki/Projects/Parallel_KDC for details.
More information about the Kerberos
mailing list