[Freeipa-devel] [PATCH] 0138, 0141: ipa-kdb fixes
Alexander Bokovoy
abokovoy at redhat.com
Wed Feb 26 08:33:03 UTC 2014
On Wed, 26 Feb 2014, Martin Kosek wrote:
>On 02/25/2014 07:59 PM, Simo Sorce wrote:
>> On Tue, 2014-02-25 at 20:58 +0200, Alexander Bokovoy wrote:
>>> Resending patch 0138 together with another case Simo found out today:
>>> when authdata flag is cleared by admin for the service principal, we'll
>>> get NULL client database entry. In such case we have to bail out.
>>
>> The patches look correct code-flow-wise to me.
>>
>> So tentative ack pending testing.
>>
>> Simo.
>>
>
>Just checking - are we ok performance wise? If we for example add one
>additional LDAP search for every Kerberos authentication, it may increase the
>load on our LDAP server.
One additional LDAP query per S4U2Proxy ticket issuing. It is not much
and it has to be done because current code does it wrongly for MS-PAC.
It is worth noting that issuing tickets should be relatively rare
operation -- with sessions in IPA server we don't hit HTTP/->ldap/
service ticket granting in S4U2Proxy case more than once.
'ipa trust-add' case is a bit more specific but you rarely establish
trusts every second of the day, aren't you?
For normal operations it wouldn't affect anything beyond statistical
noise level.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list