On 06/13/2013 09:28 AM, Berthold Cogel wrote: > System: RHEL5 > Kerberos: 1.6.1-70.el5 (MIT/RHEL) > LDAP: openldap-ltb-2.4.28-1.el5
Short answer: you need a newer version of krb5. Long answer: there's a serious performance scaling issue in the LDAP driver prior to version 1.9 when password policy objects are used, for two reasons: 1. Whenever a policy is looked up, all principals are scanned to find out how many principals refer to the policy. This is almost always pointless work, since the "policy reference count" field is rarely used. 2. Whenever a principal is looked up, its corresponding policy object is also looked up in order to set the password expiration time based on the policy's max-life value. Although this is not completely pointless, it's probably going overboard since our DB2 back end doesn't do it. So not only does the policy lookup cost scale with the number of principals, but so does the principal lookup cost. We fixed (1) in 1.9 and will remove (2) in 1.12. If you cannot upgrade to 1.9 or later, you should avoid the use of password policy objects. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
