Multithreading the KDC server - a design

Jeffrey Altman jaltman at MIT.EDU
Thu Apr 14 10:53:37 EDT 2005 

Rahul:

I certainly expect that if there is a database with one million users
and you replicate it that each copy of the database will have one
million users.  However, you would never want to have one million
users walking into the office on Monday morning all over the world
and contacting a single copy of the database at 9am.  Your wide area
network links would never support it.   Instead, what you do is
deploy copies of the database close to where the users log in and
then ensure that the configuration data at each location points to
the local copy.

In a master-slave model, users should only have to hit the master
database when they need to change their password or if the client
believes that their password has changed.  In MIT Kerberos that
would be the equivant of configuring the clients in New York as

	EXAMPLE.COM = {
		kdc = slave.newyork.example.com
	        master_kdc = master.example.com
	}

and those in London as

	EXAMPLE.COM = {
		kdc = slave.london.example.com
		master_kdc = master.example.com
	}

with these configurations the local slave instance would receive all
of the local requests unless the database is out of sync in which
case those principals which are out of sync will contact the master
kdc.  This deployment model is important not only to reduce the load
on the master kdc but also to keep the costs of wide area network
utilization low.

The fact that there are a million users in the database only concerns
me from the perspective that there is some form of incremental
propagation in use.  I assume that eDirectory provides that functionality.

Jeffrey Altman



Rahul Srinivas wrote:

> Hi,
>    There are eDirectory deployments in which *each* replica contains
> more than 1 million objects (most of which correspond to users). I am
> collecting information on the actual deployment scenarios. I will post
> it on this list as soon as I get it.
> 
> Regards,
> 
> -Rahul S.
> 
> On Wed, 13 Apr 2005, Jeffrey Altman wrote:
> 
>> I can certainly understand having a directory containing a single realm
>> which is made up of more than a million objects.  When you deploy these
>> directories, how is access to the directory replicated and deployed
>> across the network?
>>
>> If I am a multi-national with offices in New York, San Francisco,
>> London, and Prague, are there directory servers located in all offices
>> or are you expecting all traffic to travel across the WAN to a central
>> server?
>>
>> I ask this because it significantly impacts the discussion of the KDC
>> load.  What is important is not the number of principals in the database
>> but the number of clients which are going to be making requests.
>> (Remember, services have principals but they never make requests of the
>> KDC.)
>>
>> Thanks.
>>
>> Jeffrey Altman

More information about the krbdev mailing list