On Tue, Nov 10, 2009 at 11:14:40AM -0600, John Washington wrote: > Our backend was last counted at over 200,000 principals and the only > noticeable > impact (at this time) is that propagation time is around two minutes.
My previous experience was with ~100K principals, and indeed, it scales fine. I suspect it scales just fine to much larger sizes. Things to keep in mind: - The MIT krb5 KDC (and so the Solaris one) is single-threaded, and demand for KDC exchanges matters more than number of principals in KDB, but you're likely to have multi-code/multi-thread-CPU hardware, so you may want to create a VM/zone/jail per-core or per-hardware thread and run the KDC in as many as you need to scale to demand. You'll probably want to measure how many KDC exchanges you can get per-HW thread and decide how many KDCs you need based on expected demand. Estimating demand requires knowledge of what kerberized services you will have. In any case, if you will deploy incrementally, then you can add KDCs as you deploy. - Incremental propagation helps; I recommend it. Nico -- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
