krb5/ldap troubles

Berthold Cogel cogel at uni-koeln.de
Thu Jun 13 13:05:56 EDT 2013


Am 13.06.2013 18:04, schrieb Greg Hudson:
> On 06/13/2013 09:28 AM, Berthold Cogel wrote:
>> System: RHEL5
>> Kerberos: 1.6.1-70.el5 (MIT/RHEL)
>> LDAP: openldap-ltb-2.4.28-1.el5
> 
> Short answer: you need a newer version of krb5.

This is not possible at the moment. I don't have the time to build and
maintain my own packages.

> 
> Long answer: there's a serious performance scaling issue in the LDAP
> driver prior to version 1.9 when password policy objects are used, for
> two reasons:
> 
> 1. Whenever a policy is looked up, all principals are scanned to find
> out how many principals refer to the policy.  This is almost always
> pointless work, since the "policy reference count" field is rarely used.
> 
> 2. Whenever a principal is looked up, its corresponding policy object is
> also looked up in order to set the password expiration time based on the
> policy's max-life value.  Although this is not completely pointless,
> it's probably going overboard since our DB2 back end doesn't do it.
> 
> So not only does the policy lookup cost scale with the number of
> principals, but so does the principal lookup cost.
> 
> We fixed (1) in 1.9 and will remove (2) in 1.12.  If you cannot upgrade
> to 1.9 or later, you should avoid the use of password policy objects.
> 

How can I do this? I can remove a policy in kadmin, but what happens to
the principals associated with the policy?


Regards
Berthold Cogel


More information about the Kerberos mailing list