On Fri Feb 1 11:07:22 2002, Nicolas Williams said: > On Fri, Feb 01, 2002 at 10:20:04AM -0800, Mike Friedman wrote: > > Looking down the road around here, we may wind up having to populate our > > KDC with alumni, in addition to the students, staff and 'affiliates' that > > we have now. Which means possibly exceeding 1M principals in the database. > > Does anyone know if I should anticipate problems when/if the database gets > > that large? Are there folks out there actually running a KDC with anywhere > > near that many principals?
> - perf knees in BDB? I doubt it. OK, good. > - load; how many of those 1M records are going to be active? Good point. Concurrent activity will probably always involve only a small percentage of our registered principals. > - replication; how long does it take to kprop a database with 1M records? > How long does it take to dump such a KDB? I forgot about that. Right now, the entire propagation (unload, transmit db, reload) takes about 5 minutes (the unload no more than 2 minutes). In our environment, where we do mostly web 'proxy' authentication, I have to deal with the fact that while the master is being unloaded, updates (eg, passphrase changes) don't work properly. When these are being done by my cgi scripts, I have to be prepared to handle this condition. Currently, my code does this rather primitively, but since the condition occurs rarely it hasn't been a problem. So, if dumping the db is going to take a significant amount of time, I'll need to make my code more robust. > I have implemented an incremental replication system in-house for > dealing with replication. I recommend you look into doing the same. I guess I'll need to consider this. Thanks for the feedback. My initial concern was mainly with the MIT K5 software itself, but clearly I need to worry about ancillary processes as well. Mike ------------------------------------------------------------------------------ Mike Friedman System and Network Security [EMAIL PROTECTED] 2484 Shattuck Avenue 1-510-642-1410 University of California at Berkeley http://ack.Berkeley.EDU/~mikef http://security.berkeley.edu ------------------------------------------------------------------------------
