Am 13.06.2013 18:04, schrieb Greg Hudson: > On 06/13/2013 09:28 AM, Berthold Cogel wrote: >> System: RHEL5 >> Kerberos: 1.6.1-70.el5 (MIT/RHEL) >> LDAP: openldap-ltb-2.4.28-1.el5 > > Short answer: you need a newer version of krb5.
This is not possible at the moment. I don't have the time to build and maintain my own packages. > > Long answer: there's a serious performance scaling issue in the LDAP > driver prior to version 1.9 when password policy objects are used, for > two reasons: > > 1. Whenever a policy is looked up, all principals are scanned to find > out how many principals refer to the policy. This is almost always > pointless work, since the "policy reference count" field is rarely used. > > 2. Whenever a principal is looked up, its corresponding policy object is > also looked up in order to set the password expiration time based on the > policy's max-life value. Although this is not completely pointless, > it's probably going overboard since our DB2 back end doesn't do it. > > So not only does the policy lookup cost scale with the number of > principals, but so does the principal lookup cost. > > We fixed (1) in 1.9 and will remove (2) in 1.12. If you cannot upgrade > to 1.9 or later, you should avoid the use of password policy objects. > How can I do this? I can remove a policy in kadmin, but what happens to the principals associated with the policy? Regards Berthold Cogel ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
