Performance issue with kerberos with ldap backend
Sereyvathana Ty
sty.mailing.list at gmail.com
Mon Sep 24 17:13:37 EDT 2012
Hi,
I want to use Kerberos with LDAP backend. I am using 389-ds as my LDAP
server. I was able to configure Kerberos to work with dirsrv by following
this guide (https://help.ubuntu.com/12.04/serverguide/kerberos-ldap.html).
However, I am configuring this for CentOS 6 not Ubuntu. I was able to
populate the database using kadmin.local, and do all the Kerberos
functionalities. However, It is very slow when I have large number of
principals (about 20,000). For example, ‘listprincs’ command would take
about one hour to return. Moreover, I found out that it has to do with
Kerberos policy attribute (i.e. krbPwdPolicyReference) . I ran a simple
test (see below). That is, test_usr_1000 has a policy call, but
test_usr_1001 does not have a policy. Without the policy, I was able to
receive response from the KDC very fast (almost like using the flat
database). With the policy, it takes about 1.5 second (avg over 1000
tries). This kdc is running in a VM with 2 cpus and 4 gig of rams.
[usr at example ~]# time kinit -k -t /tmp/test.keytab test_usr_1000
real 0m1.466s
user 0m0.070s
sys 0m0.011s
[usr at example ~]# time kinit -k -t /tmp/test.keytab test_usr_1001
real 0m0.192s
user 0m0.109s
sys 0m0.008s
I was wondering if anyone has problems related to this or has experience
setting Kerberos with LDAP on CentOS and 389-ds.
Thank you for your time.
Serey
More information about the Kerberos
mailing list