how to "ban" clients?

Nico Williams nico at cryptonector.com
Mon Jul 25 16:08:22 EDT 2011


On Jul 25, 2011 11:37 AM, "Greg Hudson" <ghudson at mit.edu> wrote:
> On Sun, 2011-07-24 at 17:30 -0400, Nico Williams wrote:
> > For performance reasons?  It's like this forever, so there may not be
> > a performance reason anymore.  IMO this should be fixed.
>
> I think performance is still an issue.  We definitely still get feedback
> about the number of LDAP queries per KDC operation, and TGS requests are
> more frequent than AS requests.  (At least, they should be.  It depends
> on how often the KDC is used purely as a password verifier.)

For LDAP the kdc ought to be async and/or multi-processed/threaded.  Yeah, I
know, it's not, but that's not my problem or that of anyone not using the
LDAP backend.

Also, IIRC LDAP has a method by which to request cache entry invalidation
updates.  Maybe the LDAP backend ought to cache, which would be no worse
than not doing the client principal lookup in the TGS case, and if you can
quickly invalidate cached entries, that's a win.

IMO making this change would be a win.

Nico
--



More information about the Kerberos mailing list