[16425] in Kerberos_V5_Development
Re: Issue with ldap backend performance
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Oct 5 22:17:55 2010
From: Greg Hudson <ghudson@mit.edu>
To: Howard Wilkinson <howard@cohtech.com>
In-Reply-To: <1285754907.4814.24.camel@zion.finsbury.cohtech.co.uk>
Date: Tue, 05 Oct 2010 13:04:22 -0400
Message-ID: <1286298262.20521.1368.camel@ray>
Mime-Version: 1.0
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Wed, 2010-09-29 at 06:08 -0400, Howard Wilkinson wrote:
> As a work around we have temporarily replaced the reference count check
> with a static high number in the populate_policy routine, but this is
> obviously not ideal.
> Any suggestions as to where I could look or any modifications we could
> make to the LDAP back end that might alleviate this behaviour would be
> gratefully received.
I think your workaround is fine for now, although it will prevent you
from deleting any policy objects through kadmin.
After discussing this at a team meeting, what I'd like to do is:
* Deprecate public (i.e. above the database module layer) use of the
refcount field of policy objects. In particular, stop displaying the
refcount in kadmin getpol.
* Make the database module's delete_policy method responsible for
ensuring that policies can't be deleted. Currently that is enforced in
libkadm5srv.
* In the LDAP back end, just set the refcount to a constant (maybe 1)
when a policy object is populated.
* Move the subtree search into the LDAP back end's delete_policy method.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
