[Freeipa-devel] [PATCH] 0138, 0141: ipa-kdb fixes
Simo Sorce
simo at redhat.com
Wed Feb 26 13:40:30 UTC 2014
On Wed, 2014-02-26 at 12:39 +0100, Martin Kosek wrote:
> On 02/26/2014 09:33 AM, Alexander Bokovoy wrote:
> > On Wed, 26 Feb 2014, Martin Kosek wrote:
> >> On 02/25/2014 07:59 PM, Simo Sorce wrote:
> >>> On Tue, 2014-02-25 at 20:58 +0200, Alexander Bokovoy wrote:
> >>>> Resending patch 0138 together with another case Simo found out today:
> >>>> when authdata flag is cleared by admin for the service principal, we'll
> >>>> get NULL client database entry. In such case we have to bail out.
> >>>
> >>> The patches look correct code-flow-wise to me.
> >>>
> >>> So tentative ack pending testing.
> >>>
> >>> Simo.
> >>>
> >>
> >> Just checking - are we ok performance wise? If we for example add one
> >> additional LDAP search for every Kerberos authentication, it may increase the
> >> load on our LDAP server.
> > One additional LDAP query per S4U2Proxy ticket issuing. It is not much
> > and it has to be done because current code does it wrongly for MS-PAC.
> >
> > It is worth noting that issuing tickets should be relatively rare
> > operation -- with sessions in IPA server we don't hit HTTP/->ldap/
> > service ticket granting in S4U2Proxy case more than once.
> > 'ipa trust-add' case is a bit more specific but you rarely establish
> > trusts every second of the day, aren't you?
> >
> > For normal operations it wouldn't affect anything beyond statistical
> > noise level.
> >
>
> If this only hits web management of FreeIPA (i.e. S4U2 proxy scenario) and the
> usual SSSD operations, then I have no concerns here.
Yes, this is a relatively rare event for now.
But even if it weren't there is no work around for now.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list