[Freeipa-devel] [PATCH] 492 Add options to reduce writes from KDC
Simo Sorce
simo at redhat.com
Tue May 29 20:32:25 UTC 2012
On Fri, 2012-05-25 at 18:36 -0400, Simo Sorce wrote:
> The original ldap driver we used up to 2.2 had 2 options admins could
> set to limit the amount of writes to the database on certain auditing
> related operations.
> In particular disable_last_success is really important to reduce the
> load on database servers.
>
> I have implemented ticket #2734 with a little twist. Instead of adding
> local options in krb5.conf I create global options in the LDAP tree, so
> that all KDCs in the domain have the same configuration.
>
> The 2 new options can be set in ipaConfigString attribute of the
> cn=ipaConfig object under cn=etc,$SUFFIX
>
> These are:
> KDC:Disable Last Success
> KDC:Disable Lockout
>
> The first string if set will disable updating the krbLastSuccessfulAuth
> field in the service/user entry.
> The second one will prevent changing any of the Lockout related fields
> and will effectively disable lockout policies.
>
> I think we may want to set the first one by default in future.
> The last successful auth field is not very interesting in general and is
> cause for a lot of writes that pressure a lot the LDAP server and get
> replicated everywhere with a storm multiplier effect we'd like to avoid.
>
> The lockout one instead happen only when there are failed authentication
> attempt, this means it never happens when keytabs are used for example.
> And even with users it should happen rarely enough that traking lockouts
> by default make leaving these writes on by default is a good tradeoff.
>
> Note that simply setting the lockout policy to never lockout is *not*
> equivalent to setting KDC:Disable Lockout, as it does not prevent writes
> to the database.
>
> I've tested setting KDC:Disable Last Success and it effectively prevent
> MOD operation from showing up in the server access log.
>
> Any change to these configuration options requires a reconnection from
> the KDC to the LDAP server, the simplest way to cause that is to restart
> the KDC service.
Attached also rebased patch that cleanly applies on top of 2.2.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-2.2-simo-492-1-Add-support-for-disabling-KDC-writes.patch
Type: text/x-patch
Size: 6822 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120529/6f3b20c3/attachment.bin>
More information about the Freeipa-devel
mailing list