how to "ban" clients?
Chris Hecker
checker at d6.com
Mon Jul 25 16:26:06 EDT 2011
I use an LDAP backend, and I still want this "ban" feature and am
willing to pay for it (and implement it :).
I guess if/when I get hit with performance problems, I will look into
those too, so maybe I will be hoisted on my own petard, or maybe the
ldap backend will get optimized as a secondary effect of me adding this
feature!
Chris
On 2011/07/25 13:08, Nico Williams wrote:
> On Jul 25, 2011 11:37 AM, "Greg Hudson" <ghudson at mit.edu
> <mailto:ghudson at mit.edu>> wrote:
> > On Sun, 2011-07-24 at 17:30 -0400, Nico Williams wrote:
> > > For performance reasons? It's like this forever, so there may not be
> > > a performance reason anymore. IMO this should be fixed.
> >
> > I think performance is still an issue. We definitely still get feedback
> > about the number of LDAP queries per KDC operation, and TGS requests are
> > more frequent than AS requests. (At least, they should be. It depends
> > on how often the KDC is used purely as a password verifier.)
>
> For LDAP the kdc ought to be async and/or multi-processed/threaded.
> Yeah, I know, it's not, but that's not my problem or that of anyone not
> using the LDAP backend.
>
> Also, IIRC LDAP has a method by which to request cache entry
> invalidation updates. Maybe the LDAP backend ought to cache, which
> would be no worse than not doing the client principal lookup in the TGS
> case, and if you can quickly invalidate cached entries, that's a win.
>
> IMO making this change would be a win.
>
> Nico
> --
>
More information about the Kerberos
mailing list