Issue with ldap backend performance

[Howard Wilkinson]

I have been involved in a project that has implemented the LDAP  backend
for the KDC and we have been seeing performance issues with a specific
function in this backend. The version we have been using is an early 1.7
release. I am currently looking at moving the implementation to 1.8 and
have checked the code but it looks like the problem may still exist. I
am wondering if anybody can throw some insight into this and suggest if
we have spotted a true problem, or whether we have missed a trick in our
LDAP set up.

The problem occurs in the routine populate_policy in
plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c, the call to
krb5_ldap_get_reference_count is taking a long time to complete and is
causing our scripts which add new users to the kdc to run very slowly.

Looking at the code for krb5_ldap_get_reference_count it does a subtree
scan. I am not familiar with the schema of the LDAP backend so cannot
see what this implies but it is definitely this piece of code that is
slowing things down.

As a work around we have temporarily replaced the reference count check
with a static high number in the populate_policy routine, but this is
obviously not ideal.

Any suggestions as to where I could look or any modifications we could
make to the LDAP  back end that might alleviate this behaviour would be
gratefully received.

Howard