Performance issue with kerberos with ldap backend

Sereyvathana Ty sty.mailing.list at gmail.com
Tue Sep 25 15:32:49 EDT 2012


Upgrading to the latest krb5 works.

Thanks,

Serey

On Mon, Sep 24, 2012 at 11:00 PM, Greg Hudson <ghudson at mit.edu> wrote:

> On 09/24/2012 05:13 PM, Sereyvathana Ty wrote:
> > Without the policy,  I was able to
> > receive response from the KDC very fast (almost like using the flat
> > database). With the policy, it takes about 1.5 second (avg over 1000
> > tries). This kdc is running in a VM with 2 cpus and 4 gig of rams.
>
> This should be better in MIT krb5 1.9 or later.  In krb5 1.8 and prior,
> fetching password policies was very slow with large KDBs because the
> module would scan all principals in order to populate a reference count
> field.
>
> It looks like CentOS 6.1 and later have krb5 1.9, but CentOS 6.0 (which
> I think is no longer receiving updates) has 1.8.
>
> > For example, ‘listprincs’ command would take
> > about one hour to return.
>
> This appears to be a related problem and should also be better in MIT
> krb5 1.9, although you wouldn't immediately think that listprincs would
> retrieving policy entries.  The LDAP back end appears to dynamically
> calculate a principal's password expiration at lookup time using the
> principal's policy entry and its last password change time.
>
>


More information about the Kerberos mailing list