[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Forking the KDC
> Rate limiting only applies to a single account (for both of the
> scenarios I'm considering). If I hold up everybody that might
> impact hundreds of requests.
Rate limiting should be based on client, ip-address, and "network" and
not just based in requests per second.
> I'm not sure what I'm interested in necessarily belongs in the main
> tree. I'm asking about technical feasibility and potholes or land
> mines I might step on. ;-)
Forking the KDC create problems with crypto-accelerators, pkcs11 and
create a
out of process DOS problem, other then that it should "ok".
> Does the state machine have provisions for keeping a reply around
> for sending later? Also I wouldn't want to mix the processing from
> an external back-end with the Kerberos protocol front-end
> processing. Is there any asynchronous handling in the LDAP back-
> end that I should look at?
Not right now, but it should be really simple to add. There is no
async handling in the ldap
back-end right now. If the latency to do crypto and database
operation is too high,
I'll afraid the answer is threads.
Love