krb5/ldap troubles
Berthold Cogel
cogel at uni-koeln.de
Thu Jun 13 09:28:04 EDT 2013
Hello!
I've some problems with a krb5/ldap setup and I'm still trying to
understand what I'm dealing with..
System: RHEL5
Kerberos: 1.6.1-70.el5 (MIT/RHEL)
LDAP: openldap-ltb-2.4.28-1.el5
Kerberos is talking to the local LDAP via LDAPI.
Now we've migrated our users from our old identity management
system to a new system and pushed the accounts into the
kerberos (kadmin is called remote from the IDM). Now I've run into some
problems:
- kadmind slowed down during the process. Starting with an almost empty
database I was able to do about 3 'addprinc' jobs per second. And I
ended up with about 8 seconds per principal after about 68000 users.
- The host is a virtual host. I started with 2 cores and upgraded the
system to 4 cores during the process with almost no effect. Load is not
very high but about 50% system...
These problems do hit me only during the initial setup, but...
- When kadmind is being called, we see about 80000 to 100000 context
switches (cs, vmstat 1 ) per second (no kadmin action: about 100 - 1000 cs).
- Password changes are slow too (8 seconds).
- Simple kinit causes a 140000 cs spike for password prompt and another
130000 cs spike for authentication. This is a lot...
- ldapsearch for the complete tree takes about 15 seconds (about 250000
cs for the request)
- ldapsearch for one principal ... almost no impact
This doesn't look like an LDAP problem to me. But there is an old system
(VM, 2 cores, RHEL3, MIT-Krb 1.4.3, no LDAP-Backend) that doesn't show
these effects.
This is what I have in the kdc.conf:
[kdcdefaults]
kdc_ports = 750,88
kdc_tcp_ports = 88
v4_mode = nopreauth
[realms]
RRZ.UNI-KOELN.DE = {
database_name = /var/kerberos/krb5kdc/principal
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
key_stash_file = /var/security/kerberos/.k5.RRZ.UNI-KOELN.DE
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = aes256-cts
supported_enctypes = aes256-cts-hmac-sha1-96:normal
des-cbc-crc:normal des:afs3
supported_keytypes = aes256-cts-hmac-sha1-96:normal
des-cbc-crc:normal des:afs3
default_principal_flags = +preauth
database_module = openldap_ldapconf
}
[logging]
admin_server = SYSLOG:INFO:LOCAL0
kdc = SYSLOG:INFO:LOCAL0
[dbdefaults]
ldap_kerberos_container_dn = "ou=Kerberos,dc=uni-koeln,dc=de"
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kerberos_container_dn = "ou=Kerberos,dc=uni-koeln,dc=de"
ldap_kdc_dn = "cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de"
ldap_kadmind_dn = "cn=kadmind,ou=Kerberos,dc=uni-koeln,dc=de"
ldap_service_password_file = "/var/kerberos/krb5kdc/service.keyfile"
ldap_servers = "ldapi://%2Fvar%2Frun%2Fldapi"
ldap_cons_per_server = 10
}
krb5.conf...
[libdefaults]
default_realm = RRZ.UNI-KOELN.DE
# these numbers are in seconds:
# 2592000 is 30 days (the maximum AFS token lifetime)
#
ticket_lifetime = 2592000
default_lifetime = 2592000
renew_lifetime = 2592000
kdc_timesync = 0
forwardable = true
renewable = true
allow_weak_crypto=true
[realms]
RRZ.UNI-KOELN.DE = {
kdc = <a>.rrz.uni-koeln.de:88
kdc = <b>.rrz.uni-koeln.de:88
kdc = <c>.rrz.uni-koeln.de:88
admin_server = <a>.rrz.uni-koeln.de:749
default_domain = rrz.uni-koeln.de
}
[domain_realm]
.rrz.uni-koeln.de = RRZ.UNI-KOELN.DE
.uni-koeln.de = RRZ.UNI-KOELN.DE
[logging]
admin_server = SYSLOG:INFO:LOCAL0
kdc = SYSLOG:INFO:LOCAL0
slapd.conf...
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/eduperson.schema
include /etc/openldap/schema/dfneduperson.schema
include /etc/openldap/schema/schac.schema
include /etc/openldap/schema/edumember.schema
include /etc/openldap/schema/UniColognePerson.schema
include /etc/openldap/schema/kerberos.schema
pidfile /usr/local/openldap/var/run/slapd.pid
argsfile /usr/local/openldap/var/run/slapd.args
modulepath /usr/local/openldap/libexec/openldap
# TLS definitions
TLSCertificateFile xxxxxx
TLSCertificateKeyFile xxxxxx
TLSCACertificatePath /etc/pki/tls/certs
security ssf=64 update_ssf=112 simple_bind=64
localSSF 256
include /etc/openldap/acl.inc
sizelimit unlimited
idletimeout 20
loglevel none
database hdb
suffix "dc=uni-koeln,dc=de"
rootdn "cn=xxxxx
rootpw xxxxxx
cachesize 100000
idlcachesize 300000
checkpoint 4096 10
directory /var/lib/ldap
index mail eq
index cn eq,sub
index sn eq,sub
index givenname eq,sub
index uid eq
index objectclass eq
index entryCSN eq
index entryUUID eq
index UniCologneMailPolicy eq
index description sub
index krbPrincipalName eq,pres,sub
index krbPwdPolicyReference eq
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
overlay auditlog
auditlog /tmp/openldapaudit.log
database monitor
What causes these huge amounts of context switches and how can I reduce
them. Help would be appreciated.
Berthold Cogel
More information about the Kerberos
mailing list