Changing the KDC search base dynamically
Shani Ranasinghe
shanira14 at gmail.com
Wed Dec 4 22:10:23 EST 2013
Hi,
Thank you for the help.
On Thu, Dec 5, 2013 at 7:34 AM, Simo Sorce <simo at redhat.com> wrote:
> On Thu, 2013-12-05 at 03:42 +0530, Shani Ranasinghe wrote:
> > Hi,
> >
> >
> > On Thu, Dec 5, 2013 at 3:23 AM, Simo Sorce <simo at redhat.com> wrote:
> >
> > > On Thu, 2013-12-05 at 03:08 +0530, Shani Ranasinghe wrote:
> > > > Hi,
> > > > Thank you Greg and Simo.
> > > > Please find my comments in-line.
> > > > Regards,
> > > > Shani Ranasinghe.
> > > >
> > > > @Simo, This is what I have done at the moment. When the user logs
> into
> > > the
> > > > system, I will know if that user is a tenant or not by the username
> > > > provided. Based on that I will know where to search for in the tree.
> In
> > > my
> > > > application, I need to get a TGT everytime the user logs into the
> > > system.
> > > > The problem with having the search the whole tree is that, this
> will be
> > > a
> > > > performance hit in the long run. This is the main reason I was
> looking
> > > for
> > > > an alternative way rather than restarting the server, and searching
> the
> > > > whole tree.
> > >
> > > Premature optimization, just use proper indexes for your query.
> > >
> >
> > Ok. How can I use indexes with Kinit? I did not find anyway to do this.I
> > am using Kinit to generate TGT's. Every Kinit request must be different
> > from user to user.
>
> You need to check your LDAP server documentation to find out how to
> analyze queries to find if any of the attributes in the search filters
> is not indexed and how to eventually create indexes.
>
> This is nothing specific to Kerberos.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
More information about the krbdev
mailing list