Multithreading the KDC server - a design
Jeffrey Altman
jaltman at MIT.EDU
Wed Apr 13 00:10:40 EDT 2005
Rahul Srinivas wrote:
> Hi Sam,
>
>> I probably would have chosen approach 4.1 (not surprising since I
>> suggested it). We just haven't run into cases where KDC performance
>> requires multiple CPUs at all.
>
>
> There are many eDirectory deployments with more than 1 million objects
> in the directory. If such a deployment is kerberized and each object is
> associated with a kerberos principal, then the rate at which the KDC
> would have to handle requests could become very high. BTW, in your
> experience, what is the maximum rate at which the KDC has to handle
> requests in current deployments ?
Rahul:
I can certainly understand having a directory containing a single realm
which is made up of more than a million objects. When you deploy these
directories, how is access to the directory replicated and deployed
across the network?
If I am a multi-national with offices in New York, San Francisco,
London, and Prague, are there directory servers located in all offices
or are you expecting all traffic to travel across the WAN to a central
server?
I ask this because it significantly impacts the discussion of the KDC
load. What is important is not the number of principals in the database
but the number of clients which are going to be making requests.
(Remember, services have principals but they never make requests of the
KDC.)
Thanks.
Jeffrey Altman
More information about the krbdev
mailing list