[Freeipa-devel] [PATCH] 492 Add options to reduce writes from KDC

Thu Jun 7 19:29:43 UTC 2012

Simo Sorce wrote:
> On Mon, 2012-06-04 at 22:59 -0400, Rob Crittenden wrote:
>> Simo Sorce wrote:
>>> The original ldap driver we used up to 2.2 had 2 options admins could
>>> set to limit the amount of writes to the database on certain auditing
>>> related operations.
>>> In particular disable_last_success is really important to reduce the
>>> load on database servers.
>>>
>>> I have implemented ticket #2734 with a little twist. Instead of adding
>>> local options in krb5.conf I create global options in the LDAP tree, so
>>> that all KDCs in the domain have the same configuration.
>>>
>>> The 2 new options can be set in ipaConfigString attribute of the
>>> cn=ipaConfig object under cn=etc,$SUFFIX
>>>
>>> These are:
>>> KDC:Disable Last Success
>>> KDC:Disable Lockout
>>>
>>> The first string if set will disable updating the krbLastSuccessfulAuth
>>> field in the service/user entry.
>>> The second one will prevent changing any of the Lockout related fields
>>> and will effectively disable lockout policies.
>>>
>>> I think we may want to set the first one by default in future.
>>> The last successful auth field is not very interesting in general and is
>>> cause for a lot of writes that pressure a lot the LDAP server and get
>>> replicated everywhere with a storm multiplier effect we'd like to avoid.
>>>
>>> The lockout one instead happen only when there are failed authentication
>>> attempt, this means it never happens when keytabs are used for example.
>>> And even with users it should happen rarely enough that traking lockouts
>>> by default make leaving these writes on by default is a good tradeoff.
>>>
>>> Note that simply setting the lockout policy to never lockout is *not*
>>> equivalent to setting KDC:Disable Lockout, as it does not prevent writes
>>> to the database.
>>>
>>> I've tested setting KDC:Disable Last Success and it effectively prevent
>>> MOD operation from showing up in the server access log.
>>>
>>> Any change to these configuration options requires a reconnection from
>>> the KDC to the LDAP server, the simplest way to cause that is to restart
>>> the KDC service.
>>>
>>> Simo.
>>
>> In ipadb_get_global_configs() should there be a call to LOG_OOM()?
>>
>> Also, if ipadb_simple_search() or ipadb_get_global_configs() fails
>> should we log the result code when non-zero?
>
> Well this code runs in the KDC, not in DIRSRV so LOG_OOM() wouldn't
> work.
> Perhaps we should add KDC_LOG() macros, but that would be a separate
> task imo.
>
> Simo.
>

Ah, right, sorry about that. I opened a separate ticket to improve 
logging in the ipa-kdb module.

ACK, pushed to master and ipa-2-2.

rob