The LDAP search performance on principal name attributes impacts the authentication performance of the Novell Kerberos KDC.
Before deploying the Novell Kerberos KDC, review and consider the following guidelines to optimize the LDAP search:
Create a DS replica indexed on the krbPrincipalName attribute: Kerberos authentication by the Novell Kerberos KDC searches for the principal name attribute within the specified subtree containers. The search is faster when the container is small and flat. The search time increases as the size and nesting increase.
To increase the search performance, create separate DS replicas and implement value indexing on the krbPrincipalName attribute. Use this replica server as the LDAP server for KDC, Administration, and Password server access. This indexing on the principal name improves the speed of the search.
Create aliases for identities in large trees: If a large eDirectory™ tree has users with Kerberos identities spread all over the tree, we recommend creating Kerberos alias objects for those eDirectory users and keeping all the Kerberos alias objects under the realm container. This simplifies the search and increases the speed of the Kerberos authentication performance.