krb5/ldap troubles
Berthold Cogel
cogel at uni-koeln.de
Thu Jun 13 13:05:56 EDT 2013
Am 13.06.2013 18:04, schrieb Greg Hudson:
> On 06/13/2013 09:28 AM, Berthold Cogel wrote:
>> System: RHEL5
>> Kerberos: 1.6.1-70.el5 (MIT/RHEL)
>> LDAP: openldap-ltb-2.4.28-1.el5
>
> Short answer: you need a newer version of krb5.
This is not possible at the moment. I don't have the time to build and
maintain my own packages.
>
> Long answer: there's a serious performance scaling issue in the LDAP
> driver prior to version 1.9 when password policy objects are used, for
> two reasons:
>
> 1. Whenever a policy is looked up, all principals are scanned to find
> out how many principals refer to the policy. This is almost always
> pointless work, since the "policy reference count" field is rarely used.
>
> 2. Whenever a principal is looked up, its corresponding policy object is
> also looked up in order to set the password expiration time based on the
> policy's max-life value. Although this is not completely pointless,
> it's probably going overboard since our DB2 back end doesn't do it.
>
> So not only does the policy lookup cost scale with the number of
> principals, but so does the principal lookup cost.
>
> We fixed (1) in 1.9 and will remove (2) in 1.12. If you cannot upgrade
> to 1.9 or later, you should avoid the use of password policy objects.
>
How can I do this? I can remove a policy in kadmin, but what happens to
the principals associated with the policy?
Regards
Berthold Cogel
More information about the Kerberos
mailing list