Return-Path: Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by krbdev.mit.edu (Postfix) with ESMTPS id B9FC53F827 for ; Thu, 23 Oct 2014 15:13:24 -0400 (EDT) Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s9NJDN65023699 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Thu, 23 Oct 2014 19:13:23 GMT Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by ucsinet22.oracle.com (8.14.5+Sun/8.14.5) with ESMTP id s9NJDMGv011415 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Thu, 23 Oct 2014 19:13:23 GMT Received: from abhmp0016.oracle.com (abhmp0016.oracle.com [141.146.116.22]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s9NJDMMG004005 for ; Thu, 23 Oct 2014 19:13:22 GMT MIME-Version: 1.0 Message-ID: Date: Thu, 23 Oct 2014 12:13:21 -0700 (PDT) From: Tsu-Phong Wu To: Subject: Re: [krbdev.mit.edu #8027] Client RPC timeout during kadmin listprincs command X-Mailer: Zimbra on Oracle Beehive Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Source-Ip: ucsinet22.oracle.com [156.151.31.94] RT-Send-Cc: Content-Length: 1288 Thanks for the reply. Our current version is 1.8.6 (and an older version 1.4 something) and apparently we'll have issues there. Is there a bug# on this LDAP KDB performance and do you happen to know how big the effort is to port it to pre-1.9? Thanks. Tsu-Phong ----- Original Message ----- From: rt-comment@krbdev.mit.edu Sent: Tuesday, October 21, 2014 11:44:54 AM GMT -08:00 US/Canada Pacific Subject: [krbdev.mit.edu #8027] Client RPC timeout during kadmin listprincs command Before we commit to changing the default or making it configurable, I would like to know what version of Kerberos is being used on the back end. Prior to release 1.9, the LDAP KDB module takes O(N^2) time to iterate over N principals due to a combination of questionable design features. It is possible that retrieving even a hundred thousand principal names could be done in less than 120 seconds without this bug. If we do need to make a change, I would suggest using a very long timeout or (if possible) disable the timeout entirely. Since kadmin runs over TCP, there isn't really a strong need to time out if kadmind takes a long time to respond. _______________________________________________ krb5-bugs mailing list krb5-bugs@mit.edu https://mailman.mit.edu/mailman/listinfo/krb5-bugs