[16407] in Kerberos_V5_Development
Issue with ldap backend performance
daemon@ATHENA.MIT.EDU (Howard Wilkinson)
Wed Sep 29 06:08:42 2010
From: Howard Wilkinson <howard@cohtech.com>
To: "krbdev@mit.edu" <krbdev@mit.edu>
Date: Wed, 29 Sep 2010 11:08:27 +0100
Message-Id: <1285754907.4814.24.camel@zion.finsbury.cohtech.co.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
I have been involved in a project that has implemented the LDAP backend
for the KDC and we have been seeing performance issues with a specific
function in this backend. The version we have been using is an early 1.7
release. I am currently looking at moving the implementation to 1.8 and
have checked the code but it looks like the problem may still exist. I
am wondering if anybody can throw some insight into this and suggest if
we have spotted a true problem, or whether we have missed a trick in our
LDAP set up.
The problem occurs in the routine populate_policy in
plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c, the call to
krb5_ldap_get_reference_count is taking a long time to complete and is
causing our scripts which add new users to the kdc to run very slowly.
Looking at the code for krb5_ldap_get_reference_count it does a subtree
scan. I am not familiar with the schema of the LDAP backend so cannot
see what this implies but it is definitely this piece of code that is
slowing things down.
As a work around we have temporarily replaced the reference count check
with a static high number in the populate_policy routine, but this is
obviously not ideal.
Any suggestions as to where I could look or any modifications we could
make to the LDAP back end that might alleviate this behaviour would be
gratefully received.
Howard
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
