KDC query client performance
Simo Sorce
ssorce at redhat.com
Mon Feb 14 20:20:16 EST 2011
On Mon, 14 Feb 2011 19:34:51 -0500
Sam Hartman <hartmans at mit.edu> wrote:
> >>>>> "Simo" == Simo Sorce <ssorce at redhat.com> writes:
>
> Simo> On Mon, 14 Feb 2011 18:35:14 +0000
> Simo> "Roland C. Dowdeswell" <elric at imrryr.org> wrote:
>
> > Also, it might be a better idea in the longer term to write a little
> >> daemon that runs as root, listens on a UNIX domain socket and
> >> accepts requests from the krb5 libs to have conversations with
> >> various KDCs. The advantage of this would be that this daemon
> >> could keep track of which KDCs are up and perhaps even keep
> >> track of which ones answer the quickest (and are therefore
> >> likely the closest), etc.
>
> Simo> You can do this separately by creating a locator plugin.
> Simo> That's what we do with the SSSD project at least, so that
> Simo> the sssd daemon does the discovery and just tells the krb5
> Simo> libs what is the ip address to use for the KDC.
>
> Yes, but I think that this is important enough to Kerberos performance
> that someone should really do this separately from SSSD. If you're
> going to use SSSD, or some full infrastructure, you'll use their KDC
> locator. However, you really want this service. All the time. Even
> if you just want a Kerberos client.
Then it may be best to define a socket based communication protocol so
that only one daemon at a time can do it (consistency) and others can
provide the service w/o having plugins piling up on another.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the krbdev
mailing list