Skip to content

Commit

Permalink
Update kdcpolicy design doc for jitter implementation
Browse files Browse the repository at this point in the history 
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
  • Loading branch information
@frozencemetery @abbra
frozencemetery authored and abbra committed Nov 17, 2020
1 parent 82e6900 commit 249097c
Showing 1 changed file with 4 additions and 2 deletions.
6 changes: 4 additions & 2 deletions doc/designs/krb-ticket-policy.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,8 +91,10 @@ where administrators can specify max renew and life for each supported auth indi

### Ticket lifetime jitter

Ticket lifetimes can be jittered so that renewals / re-issues do not overwhelm the KDC at a certain moment.
The feature is enabled automatically so that we can avoid triggering an LDAP query on every `AS_REQ` and `TGS_REQ`.
All TGT lifetimes are varied slightly to avoid overwhelming the KDC with
simultaneous renewal requests. Jitter will reduce lifetimes by up to one hour
from the configured maximum lifetime (per policy). Significantly shorter
requested lifetimes will be unaffected.

## Implementation

Expand Down

0 comments on commit 249097c

Please sign in to comment.