Update kdcpolicy design doc for jitter implementation

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Robbie Harwood 2020-11-10 16:02:30 -05:00 committed by Alexander Bokovoy
parent 82e69008ad
commit 249097c624

View File

@ -91,8 +91,10 @@ where administrators can specify max renew and life for each supported auth indi
### Ticket lifetime jitter
Ticket lifetimes can be jittered so that renewals / re-issues do not overwhelm the KDC at a certain moment.
The feature is enabled automatically so that we can avoid triggering an LDAP query on every `AS_REQ` and `TGS_REQ`.
All TGT lifetimes are varied slightly to avoid overwhelming the KDC with
simultaneous renewal requests. Jitter will reduce lifetimes by up to one hour
from the configured maximum lifetime (per policy). Significantly shorter
requested lifetimes will be unaffected.
## Implementation