Changing the KDC search base dynamically
Simo Sorce
simo at redhat.com
Wed Dec 4 21:04:59 EST 2013
On Thu, 2013-12-05 at 03:42 +0530, Shani Ranasinghe wrote:
> Hi,
>
>
> On Thu, Dec 5, 2013 at 3:23 AM, Simo Sorce <simo at redhat.com> wrote:
>
> > On Thu, 2013-12-05 at 03:08 +0530, Shani Ranasinghe wrote:
> > > Hi,
> > > Thank you Greg and Simo.
> > > Please find my comments in-line.
> > > Regards,
> > > Shani Ranasinghe.
> > >
> > > @Simo, This is what I have done at the moment. When the user logs into
> > the
> > > system, I will know if that user is a tenant or not by the username
> > > provided. Based on that I will know where to search for in the tree. In
> > my
> > > application, I need to get a TGT everytime the user logs into the
> > system.
> > > The problem with having the search the whole tree is that, this will be
> > a
> > > performance hit in the long run. This is the main reason I was looking
> > for
> > > an alternative way rather than restarting the server, and searching the
> > > whole tree.
> >
> > Premature optimization, just use proper indexes for your query.
> >
>
> Ok. How can I use indexes with Kinit? I did not find anyway to do this.I
> am using Kinit to generate TGT's. Every Kinit request must be different
> from user to user.
You need to check your LDAP server documentation to find out how to
analyze queries to find if any of the attributes in the search filters
is not indexed and how to eventually create indexes.
This is nothing specific to Kerberos.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the krbdev
mailing list