On Tue, 2013-03-12 at 15:31 +0100, Petr Spacek wrote: > On 12.3.2013 13:34, Simo Sorce wrote: > >>> > >We might, but how do you check for the global value ? > >>> > >An additional search for every KDC operation is simply not going to > >>> > >happen. > >> > > >> >Can we do that extra search only when the KDC is initialized and when > >> >configuration is refreshed? I don't think the default values would > >> >change too often, so this might be OK. > > How do you know when the configuration changes ? > Persistent search?
No for 3 reasons. 1. Persistent searches are expensive for the server. 2. The KDC is not threaded so it has no way to react to data being sent down the pipe. It may accumulate for hours and then the KDC would be swamped processing all that data on the first request it gets from a client. 3. The KDC is configured to spawn multiple processes on multi-CPU machines, and that would mean tons of duplication with one persistent search per process, and the associated heavy load on DS would increase even more. We might have a dirty way to do something like this with inotify and a common file we agree upon to 'touch' from DS plugins. The the KDC would be able to reload the configuration only when inotify signals there is a change in the underlying file. It's not really elegant and will probably also require changes to the selinux policy but it would be less heavy weight. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-devel