IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Update kdcpolicy design doc for jitter implementation

Browse Source 
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Robbie Harwood 2020-11-10 16:02:30 -05:00 committed by Alexander Bokovoy
parent 82e69008ad
commit 249097c624
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
doc/designs/krb-ticket-policy.md
View File

@ -91,8 +91,10 @@ where administrators can specify max renew and life for each supported auth indi
### Ticket lifetime jitter ### Ticket lifetime jitter
Ticket lifetimes can be jittered so that renewals / re-issues do not overwhelm the KDC at a certain moment. All TGT lifetimes are varied slightly to avoid overwhelming the KDC with
The feature is enabled automatically so that we can avoid triggering an LDAP query on every `AS_REQ` and `TGS_REQ`. simultaneous renewal requests. Jitter will reduce lifetimes by up to one hour
from the configured maximum lifetime (per policy). Significantly shorter
requested lifetimes will be unaffected.
## Implementation ## Implementation