[32129] in Kerberos
Re: ldap_conns_per_server = 5
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Mar 8 17:50:13 2010
From: Greg Hudson <ghudson@mit.edu>
To: Kevin Longfellow <klongfel@yahoo.com>
In-Reply-To: <373310.11534.qm@web53501.mail.re2.yahoo.com>
Date: Mon, 08 Mar 2010 17:50:00 -0500
Message-ID: <1268088600.18898.355.camel@ray>
Mime-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Mon, 2010-03-08 at 15:35 -0500, Kevin Longfellow wrote:
> Going through krb5.conf for a kdc that will be using ldap as the back
> end, the variable ldap_conns_per_server = 5 seems low. Consider a kdc
> for 30k+ users will this setting be ok? What does this variable
> really limit? Having no practical experience with a large deployment
> using ldap as the back end, this variable caught my eye and concerns
> me as to low for a very large number of users?
I believe that parameter doesn't actually do anything productive. It
controls the number of connections created when a realm is
initialized... but since the KDC code is single-threaded, it only winds
up using one connection at a time anyway.
As for whether 30K users might overburden a single-threaded KDC:
possibly, but if you have a reasonably fast LDAP server it might not
actually be a problem. You can have a large number of users and still
have a pretty light KDC load since users only need to get tickets when
they obtain initial credentials or get credentials for a new service.
We have an enhancement in mind (but not yet implemented) to help deal
with situations where KDC load is an issue. See
http://k5wiki.kerberos.org/wiki/Projects/Parallel_KDC for details.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
