diff options
author | Greg Hudson <ghudson@mit.edu> | 2010-05-10 22:42:04 +0000 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2010-05-10 22:42:04 +0000 |
commit | 6eacb6d5f29da306ea605a5efb00c0d01c3182b1 (patch) | |
tree | 8b37e7da4e702e962560823515da5a744c5edf7c /doc | |
parent | f795c92a96a2a559fe01fc5906d488167ab6b4b9 (diff) | |
download | krb5-6eacb6d5f29da306ea605a5efb00c0d01c3182b1.zip krb5-6eacb6d5f29da306ea605a5efb00c0d01c3182b1.tar.gz krb5-6eacb6d5f29da306ea605a5efb00c0d01c3182b1.tar.bz2 |
Add lockout-related performance tuning variables
The account lockout feature of krb5 1.8 came at a cost in database
accesses for principals requiring preauth, even if lockout is not
used. Add dbmodules variables disable_last_success and
disable_lockout for the DB2 and LDAP back ends, allowing the admin to
recover the lost performance at the cost of new functionality.
(Unrelated documentation fix: document database_name as a DB2-specific
dbmodules variable instead of the realm variable it used to be.)
ticket: 6719
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24003 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'doc')
-rw-r--r-- | doc/admin.texinfo | 21 |
1 files changed, 17 insertions, 4 deletions
diff --git a/doc/admin.texinfo b/doc/admin.texinfo index 1ec4685..7d2e797 100644 --- a/doc/admin.texinfo +++ b/doc/admin.texinfo @@ -1051,6 +1051,23 @@ For each section, the following tags may be specified in the subsection: @itemx db_library This tag indicates the name of the loadable database library. The value should be @samp{db2} for DB2 database and @samp{kldap} for LDAP database. +@itemx database_name +This DB2-specific tag indicates the location of the database. The +default is @* @code{@value{DefaultDatabaseName}}. + +@itemx disable_last_success +If set to @code{true}, suppresses KDC updates to the ``Last successful +authentication'' field of principal entries requiring preauthentication. +Setting this flag may improve performance. (Principal entries which do +not require preauthentication never update the ``Last successful +authentication'' field.) + +@itemx disable_lockout +If set to @code{true}, suppresses KDC updates to the ``Last failed +authentication'' and ``Failed password attempts'' fields of principal +entries requiring preauthentication. Setting this flag may improve +performance, but also disables account lockout. + @itemx ldap_kerberos_container_dn This LDAP specific tag indicates the DN of the container object where the realm objects will be located. @@ -1481,10 +1498,6 @@ database. The default is @code{@value{DefaultAclFile}}. daemons @code{kadmind4} and @code{v5passwdd} use to authenticate to the database. The default is @code{@value{DefaultAdminKeytab}}. -@itemx database_name -(String.) Location of the Kerberos database for this realm. The -default is @* @code{@value{DefaultDatabaseName}}. - @itemx default_principal_expiration (Absolute time string.) Specifies the default expiration date of principals created in this realm. The default value for this tag is |