On 09/24/2012 05:13 PM, Sereyvathana Ty wrote: > Without the policy, I was able to > receive response from the KDC very fast (almost like using the flat > database). With the policy, it takes about 1.5 second (avg over 1000 > tries). This kdc is running in a VM with 2 cpus and 4 gig of rams.
This should be better in MIT krb5 1.9 or later. In krb5 1.8 and prior, fetching password policies was very slow with large KDBs because the module would scan all principals in order to populate a reference count field. It looks like CentOS 6.1 and later have krb5 1.9, but CentOS 6.0 (which I think is no longer receiving updates) has 1.8. > For example, ‘listprincs’ command would take > about one hour to return. This appears to be a related problem and should also be better in MIT krb5 1.9, although you wouldn't immediately think that listprincs would retrieving policy entries. The LDAP back end appears to dynamically calculate a principal's password expiration at lookup time using the principal's policy entry and its last password change time. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
