Hi,
I want to use Kerberos with LDAP backend. I am using 389-ds as my LDAP server. I was able to configure Kerberos to work with dirsrv by following this guide (https://help.ubuntu.com/12.04/serverguide/kerberos-ldap.html). However, I am configuring this for CentOS 6 not Ubuntu. I was able to populate the database using kadmin.local, and do all the Kerberos functionalities. However, It is very slow when I have large number of principals (about 20,000). For example, ‘listprincs’ command would take about one hour to return. Moreover, I found out that it has to do with Kerberos policy attribute (i.e. krbPwdPolicyReference) . I ran a simple test (see below). That is, test_usr_1000 has a policy call, but test_usr_1001 does not have a policy. Without the policy, I was able to receive response from the KDC very fast (almost like using the flat database). With the policy, it takes about 1.5 second (avg over 1000 tries). This kdc is running in a VM with 2 cpus and 4 gig of rams. [usr@example ~]# time kinit -k -t /tmp/test.keytab test_usr_1000 real 0m1.466s user 0m0.070s sys 0m0.011s [usr@example ~]# time kinit -k -t /tmp/test.keytab test_usr_1001 real 0m0.192s user 0m0.109s sys 0m0.008s I was wondering if anyone has problems related to this or has experience setting Kerberos with LDAP on CentOS and 389-ds. Thank you for your time. Serey ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
