[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Forking the KDC

> Rate limiting only applies to a single account (for both of the  
> scenarios I'm considering).  If I hold up everybody that might  
> impact hundreds of requests.

Rate limiting should be based on client, ip-address, and "network" and
not just based in requests per second.

> I'm not sure what I'm interested in necessarily belongs in the main  
> tree.  I'm asking about technical feasibility and potholes or land  
> mines I might step on.  ;-)

Forking the KDC create problems with crypto-accelerators, pkcs11 and  
create a
out of process DOS problem, other then that it should "ok".

> Does the state machine have provisions for keeping a reply around  
> for sending later?  Also I wouldn't want to mix the processing from  
> an external back-end with the Kerberos protocol front-end  
> processing.  Is there any asynchronous handling in the LDAP back- 
> end that I should look at?

Not right now, but it should be really simple to add. There is no  
async handling in the ldap
back-end right now. If the latency to do crypto and database  
operation is too high,
I'll afraid the answer is threads.