|
Packit Service |
99d1c0 |
Database types
|
|
Packit Service |
99d1c0 |
==============
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
A Kerberos database can be implemented with one of three built-in
|
|
Packit Service |
99d1c0 |
database providers, called KDB modules. Software which incorporates
|
|
Packit Service |
99d1c0 |
the MIT krb5 KDC may also provide its own KDB module. The following
|
|
Packit Service |
99d1c0 |
subsections describe the three built-in KDB modules and the
|
|
Packit Service |
99d1c0 |
configuration specific to them.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
The database type can be configured with the **db_library** variable
|
|
Packit Service |
99d1c0 |
in the :ref:`dbmodules` subsection for the realm. For example::
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
[dbmodules]
|
|
Packit Service |
99d1c0 |
ATHENA.MIT.EDU = {
|
|
Packit Service |
99d1c0 |
db_library = db2
|
|
Packit Service |
99d1c0 |
}
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
If the ``ATHENA.MIT.EDU`` realm subsection contains a
|
|
Packit Service |
99d1c0 |
**database_module** setting, then the subsection within
|
|
Packit Service |
99d1c0 |
``[dbmodules]`` should use that name instead of ``ATHENA.MIT.EDU``.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
To transition from one database type to another, stop the
|
|
Packit Service |
99d1c0 |
:ref:`kadmind(8)` service, use ``kdb5_util dump`` to create a dump
|
|
Packit Service |
99d1c0 |
file, change the **db_library** value and set any appropriate
|
|
Packit Service |
99d1c0 |
configuration for the new database type, and use ``kdb5_util load`` to
|
|
Packit Service |
99d1c0 |
create and populate the new database. If the new database type is
|
|
Packit Service |
99d1c0 |
LDAP, create the new database using ``kdb5_ldap_util`` and populate it
|
|
Packit Service |
99d1c0 |
from the dump file using ``kdb5_util load -update``. Then restart the
|
|
Packit Service |
99d1c0 |
:ref:`krb5kdc(8)` and :ref:`kadmind(8)` services.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Berkeley database module (db2)
|
|
Packit Service |
99d1c0 |
------------------------------
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
The default KDB module is ``db2``, which uses a version of the
|
|
Packit Service |
99d1c0 |
Berkeley DB library. It creates four files based on the database
|
|
Packit Service |
99d1c0 |
pathname. If the pathname ends with ``principal`` then the four files
|
|
Packit Service |
99d1c0 |
are:
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
* ``principal``, containing principal entry data
|
|
Packit Service |
99d1c0 |
* ``principal.ok``, a lock file for the principal database
|
|
Packit Service |
99d1c0 |
* ``principal.kadm5``, containing policy object data
|
|
Packit Service |
99d1c0 |
* ``principal.kadm5.lock``, a lock file for the policy database
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
For large databases, the :ref:`kdb5_util(8)` **dump** command (perhaps
|
|
Packit Service |
99d1c0 |
invoked by :ref:`kprop(8)` or by :ref:`kadmind(8)` for incremental
|
|
Packit Service |
99d1c0 |
propagation) may cause :ref:`krb5kdc(8)` to stop for a noticeable
|
|
Packit Service |
99d1c0 |
period of time while it iterates over the database. This delay can be
|
|
Packit Service |
99d1c0 |
avoided by disabling account lockout features so that the KDC does not
|
|
Packit Service |
99d1c0 |
perform database writes (see :ref:`disable_lockout`). Alternatively,
|
|
Packit Service |
99d1c0 |
a slower form of iteration can be enabled by setting the
|
|
Packit Service |
99d1c0 |
**unlockiter** variable to ``true``. For example::
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
[dbmodules]
|
|
Packit Service |
99d1c0 |
ATHENA.MIT.EDU = {
|
|
Packit Service |
99d1c0 |
db_library = db2
|
|
Packit Service |
99d1c0 |
unlockiter = true
|
|
Packit Service |
99d1c0 |
}
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
In rare cases, a power failure or other unclean system shutdown may
|
|
Packit Service |
99d1c0 |
cause inconsistencies in the internal pointers within a database file,
|
|
Packit Service |
99d1c0 |
such that ``kdb5_util dump`` cannot retrieve all principal entries in
|
|
Packit Service |
99d1c0 |
the database. In this situation, it may be possible to retrieve all
|
|
Packit Service |
99d1c0 |
of the principal data by running ``kdb5_util dump -recurse`` to
|
|
Packit Service |
99d1c0 |
iterate over the database using the tree pointers instead of the
|
|
Packit Service |
99d1c0 |
iteration pointers. Running ``kdb5_util dump -rev`` to iterate over
|
|
Packit Service |
99d1c0 |
the database backwards may also retrieve some of the data which is not
|
|
Packit Service |
99d1c0 |
retrieved by a normal dump operation.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Lightning Memory-Mapped Database module (klmdb)
|
|
Packit Service |
99d1c0 |
-----------------------------------------------
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
The klmdb module was added in release 1.17. It uses the LMDB library,
|
|
Packit Service |
99d1c0 |
and may offer better performance and reliability than the db2 module.
|
|
Packit Service |
99d1c0 |
It creates four files based on the database pathname. If the pathname
|
|
Packit Service |
99d1c0 |
ends with ``principal``, then the four files are:
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
* ``principal.mdb``, containing policy object data and most principal
|
|
Packit Service |
99d1c0 |
entry data
|
|
Packit Service |
99d1c0 |
* ``principal.mdb-lock``, a lock file for the primary database
|
|
Packit Service |
99d1c0 |
* ``principal.lockout.mdb``, containing the account lockout attributes
|
|
Packit Service |
99d1c0 |
(last successful authentication time, last failed authentication
|
|
Packit Service |
99d1c0 |
time, and number of failed attempts) for each principal entry
|
|
Packit Service |
99d1c0 |
* ``principal.lockout.mdb-lock``, a lock file for the lockout database
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Separating out the lockout attributes ensures that the KDC will never
|
|
Packit Service |
99d1c0 |
block on an administrative operation such as a database dump or load.
|
|
Packit Service |
99d1c0 |
It also allows the KDC to operate without write access to the primary
|
|
Packit Service |
99d1c0 |
database. If both account lockout features are disabled (see
|
|
Packit Service |
99d1c0 |
:ref:`disable_lockout`), the lockout database files will be created
|
|
Packit Service |
99d1c0 |
but will not subsequently be opened, and the account lockout
|
|
Packit Service |
99d1c0 |
attributes will always have zero values.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Because LMDB creates a memory map to the database files, it requires a
|
|
Packit Service |
99d1c0 |
configured memory map size which also determines the maximum size of
|
|
Packit Service |
99d1c0 |
the database. This size is applied equally to the two databases, so
|
|
Packit Service |
99d1c0 |
twice the configured size will be consumed in the process address
|
|
Packit Service |
99d1c0 |
space; this is primarily a limitation on 32-bit platforms. The
|
|
Packit Service |
99d1c0 |
default value of 128 megabytes should be sufficient for several
|
|
Packit Service |
99d1c0 |
hundred thousand principal entries. If the limit is reached, kadmin
|
|
Packit Service |
99d1c0 |
operations will fail and the error message "Environment mapsize limit
|
|
Packit Service |
99d1c0 |
reached" will appear in the kadmind log file. In this case, the
|
|
Packit Service |
99d1c0 |
**mapsize** variable can be used to increase the map size. The
|
|
Packit Service |
99d1c0 |
following example sets the map size to 512 megabytes::
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
[dbmodules]
|
|
Packit Service |
99d1c0 |
ATHENA.MIT.EDU = {
|
|
Packit Service |
99d1c0 |
db_library = klmdb
|
|
Packit Service |
99d1c0 |
mapsize = 512
|
|
Packit Service |
99d1c0 |
}
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
LMDB has a configurable maximum number of readers. The default value
|
|
Packit Service |
99d1c0 |
of 128 should be sufficient for most deployments. If you are going to
|
|
Packit Service |
99d1c0 |
use a large number of KDC worker processes, it may be necessary to set
|
|
Packit Service |
99d1c0 |
the **max_readers** variable to a larger number.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
By default, LMDB synchronizes database files to disk after each write
|
|
Packit Service |
99d1c0 |
transaction to ensure durability in the case of an unclean system
|
|
Packit Service |
99d1c0 |
shutdown. The klmdb module always turns synchronization off for the
|
|
Packit Service |
99d1c0 |
lockout database to ensure reasonable KDC performance, but leaves it
|
|
Packit Service |
99d1c0 |
on for the primary database. If high throughput for administrative
|
|
Packit Service |
99d1c0 |
operations (including password changes) is required, the **nosync**
|
|
Packit Service |
99d1c0 |
variable can be set to "true" to disable synchronization for the
|
|
Packit Service |
99d1c0 |
primary database.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
The klmdb module does not support explicit locking with the
|
|
Packit Service |
99d1c0 |
:ref:`kadmin(1)` **lock** command.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
LDAP module (kldap)
|
|
Packit Service |
99d1c0 |
-------------------
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
The kldap module stores principal and policy data using an LDAP
|
|
Packit Service |
99d1c0 |
server. To use it you must configure an LDAP server to use the
|
|
Packit Service |
99d1c0 |
Kerberos schema. See :ref:`conf_ldap` for details.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Because :ref:`krb5kdc(8)` is single-threaded, latency in LDAP database
|
|
Packit Service |
99d1c0 |
accesses may limit KDC operation throughput. If the LDAP server is
|
|
Packit Service |
99d1c0 |
located on the same server host as the KDC and accessed through an
|
|
Packit Service |
99d1c0 |
``ldapi://`` URL, latency should be minimal. If this is not possible,
|
|
Packit Service |
99d1c0 |
consider starting multiple KDC worker processes with the
|
|
Packit Service |
99d1c0 |
:ref:`krb5kdc(8)` **-w** option to enable concurrent processing of KDC
|
|
Packit Service |
99d1c0 |
requests.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
The kldap module does not support explicit locking with the
|
|
Packit Service |
99d1c0 |
:ref:`kadmin(1)` **lock** command.
|