[Freeipa-devel] [PROPOSAL] Kerberos flags
Simo Sorce
simo at redhat.com
Tue Mar 12 16:01:18 UTC 2013
On Tue, 2013-03-12 at 15:31 +0100, Petr Spacek wrote:
> On 12.3.2013 13:34, Simo Sorce wrote:
> >>> > >We might, but how do you check for the global value ?
> >>> > >An additional search for every KDC operation is simply not going to
> >>> > >happen.
> >> >
> >> >Can we do that extra search only when the KDC is initialized and when
> >> >configuration is refreshed? I don't think the default values would
> >> >change too often, so this might be OK.
> > How do you know when the configuration changes ?
> Persistent search?
No for 3 reasons.
1. Persistent searches are expensive for the server.
2. The KDC is not threaded so it has no way to react to data being sent
down the pipe. It may accumulate for hours and then the KDC would be
swamped processing all that data on the first request it gets from a
client.
3. The KDC is configured to spawn multiple processes on multi-CPU
machines, and that would mean tons of duplication with one persistent
search per process, and the associated heavy load on DS would increase
even more.
We might have a dirty way to do something like this with inotify and a
common file we agree upon to 'touch' from DS plugins.
The the KDC would be able to reload the configuration only when inotify
signals there is a change in the underlying file. It's not really
elegant and will probably also require changes to the selinux policy but
it would be less heavy weight.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list