Performance issue with kerberos with ldap backend

Greg Hudson ghudson at MIT.EDU
Tue Sep 25 01:00:54 EDT 2012


On 09/24/2012 05:13 PM, Sereyvathana Ty wrote:
> Without the policy,  I was able to
> receive response from the KDC very fast (almost like using the flat
> database). With the policy, it takes about 1.5 second (avg over 1000
> tries). This kdc is running in a VM with 2 cpus and 4 gig of rams.

This should be better in MIT krb5 1.9 or later.  In krb5 1.8 and prior,
fetching password policies was very slow with large KDBs because the
module would scan all principals in order to populate a reference count
field.

It looks like CentOS 6.1 and later have krb5 1.9, but CentOS 6.0 (which
I think is no longer receiving updates) has 1.8.

> For example, ‘listprincs’ command would take
> about one hour to return.

This appears to be a related problem and should also be better in MIT
krb5 1.9, although you wouldn't immediately think that listprincs would
retrieving policy entries.  The LDAP back end appears to dynamically
calculate a principal's password expiration at lookup time using the
principal's policy entry and its last password change time.



More information about the Kerberos mailing list