Am 14.06.2013 09:32, schrieb Berthold Cogel: > Am 13.06.2013 21:01, schrieb Greg Hudson: >> On 06/13/2013 01:05 PM, Berthold Cogel wrote: >>>> We fixed (1) in 1.9 and will remove (2) in 1.12. If you cannot upgrade >>>> to 1.9 or later, you should avoid the use of password policy objects. >> >>> How can I do this? I can remove a policy in kadmin, but what happens to >>> the principals associated with the policy? >> >> krb5 1.6 doesn't let you remove a policy until no principals are >> associated with it. (krb5 1.12 will allow dangling policy references, >> but that doesn't help you.) So you'll have to remove those first, >> probably using some kind of script given the number of users you have. >> Removing the krbPwdPolicyReference attributes from the principal objects >> in LDAP will suffice, if you have better LDAP scripting tools than >> kadmin scripting tools. >> >> ________________________________________________ >> Kerberos mailing list [email protected] >> https://mailman.mit.edu/mailman/listinfo/kerberos >> > > OK.... I only have to remove the krbPwdPolicyReference attribute in > LDAP? Then I don't need a script. I can do batch operations with Apache > Directory Studio. And thanks to virtualisation I can snapshot the > system. I case I make some mistake. > > > Thanks a lot > > Berthold Cogel > > > > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos >
Done... with Apache Directory Studio. I searched for all entries with krbPwdPolicyReference and created for this subset a batch operation with modify/delete (LDIF file ...). Creating the LDIF for about 73000 took about 15 minutes on my computer. And I deleted all policy entries. Now it works like a charm... No 'context switch' spike in vmstat during authentication. All kerberos operations are fast now. Thanks Berthold Cogel ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
