Issue with ldap backend performance

Greg Hudson ghudson at MIT.EDU
Tue Oct 5 13:04:22 EDT 2010

On Wed, 2010-09-29 at 06:08 -0400, Howard Wilkinson wrote:
> As a work around we have temporarily replaced the reference count check
> with a static high number in the populate_policy routine, but this is
> obviously not ideal.

> Any suggestions as to where I could look or any modifications we could
> make to the LDAP  back end that might alleviate this behaviour would be
> gratefully received.

I think your workaround is fine for now, although it will prevent you
from deleting any policy objects through kadmin.

After discussing this at a team meeting, what I'd like to do is:

* Deprecate public (i.e. above the database module layer) use of the
refcount field of policy objects.  In particular, stop displaying the
refcount in kadmin getpol.

* Make the database module's delete_policy method responsible for
ensuring that policies can't be deleted.  Currently that is enforced in

* In the LDAP back end, just set the refcount to a constant (maybe 1)
when a policy object is populated.

* Move the subtree search into the LDAP back end's delete_policy method.

More information about the krbdev mailing list