<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 10/08/2015 11:03 AM, David Kupka
wrote:<br>
</div>
<blockquote cite="mid:5616317D.7090504@redhat.com" type="cite">On
07/10/15 17:32, thierry bordaz wrote:
<br>
<blockquote type="cite">On 10/07/2015 05:29 PM, Simo Sorce wrote:
<br>
<blockquote type="cite">On 07/10/15 11:06, thierry bordaz wrote:
<br>
<blockquote type="cite">On 10/07/2015 03:10 PM, David Kupka
wrote:
<br>
<blockquote type="cite">On 06/10/15 17:52, Jakub Hrozek
wrote:
<br>
<blockquote type="cite">On Tue, Oct 06, 2015 at 08:32:29AM
-0400, Simo Sorce wrote:
<br>
<blockquote type="cite">On 06/10/15 08:04, David Kupka
wrote:
<br>
<blockquote type="cite">On 06/10/15 13:35, Simo Sorce
wrote:
<br>
<blockquote type="cite">On 06/10/15 03:51, thierry
bordaz wrote:
<br>
<blockquote type="cite">On 10/06/2015 07:19 AM,
David Kupka wrote:
<br>
<blockquote type="cite">On 05/10/15 16:12, Simo
Sorce wrote:
<br>
<blockquote type="cite">On 05/10/15 09:00,
Martin Babinsky wrote:
<br>
<blockquote type="cite">These patches
implement the plumbing required to
properly
<br>
support
<br>
canonicalization of Kerberos principals (
<br>
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/3864">https://fedorahosted.org/freeipa/ticket/3864</a>).
<br>
<br>
Setting multiple principal aliases on
hosts/services is beyond
<br>
the
<br>
scope
<br>
of this patchset and should be done after
these patches are
<br>
pushed.
<br>
<br>
I will try to send some tests for the
patches later this week.
<br>
<br>
Please review the hell out of them.
<br>
</blockquote>
<br>
LGTM, I do not see any issue at quick visual
inspection.
<br>
What about the performance regression with
the indexes ? Is
<br>
that bug
<br>
fixed in 389ds ?
<br>
<br>
Simo.
<br>
<br>
<br>
</blockquote>
<br>
The issue is still there. Thierry investigated
this in 389 DS
<br>
and IIUC
<br>
he is not sure if it's bug or completely
missing feature.
<br>
Therefore we
<br>
still don't know how much time is needed
there.
<br>
<br>
</blockquote>
Hi,
<br>
that is correct.
<br>
I can reproduce the problem. Although the
matching rule (in my
<br>
test
<br>
caseIgnoreIA5Match) is found, it has no
registered indexing
<br>
function, so
<br>
the setting (nsMatchingRule) is ignored.
<br>
I do not know if the indexing function is
missing or there is a
<br>
bug so
<br>
that the matching rule "forget" to register it.
<br>
This feature is documented but I can not find
any QA test around
<br>
it, so
<br>
I do not know yet if it is a regression or if it
was not enabled
<br>
at all.
<br>
<br>
I do not expect rapid progress on it. How urgent
is it ? 7.3 ?
<br>
For the moment I can think to only two
workarounds:
<br>
<br>
* use filtered matching rule (preferred)
<br>
* change the attribute syntax/matching rule,
in the schema (I
<br>
would
<br>
discourage this one because changing the
schema is risky)
<br>
</blockquote>
<br>
We can't change the syntax at this point.
<br>
<br>
Well this patchset is blocked until the 389 ds bug
is fixed (the
<br>
performance regression is too big to just put it
in and hope) so I
<br>
guess
<br>
we'll have to negotiate a time for the fix.
<br>
<br>
Simo.
<br>
<br>
</blockquote>
<br>
I agree that we really shouldn't change schema.
<br>
<br>
But I don't think the patches're necessary blocked
by this issue.
<br>
Canonicalization was never supported in FreeIPA and
when it is not
<br>
requested the performance is not effected at all. We
could merge
<br>
patches
<br>
as soon as they're carefully reviewed and tested to
avoid tedious
<br>
rebasing and start using the new functionality when
389 DS gets
<br>
fixed.
<br>
</blockquote>
<br>
The fact we didn't do canonicalization this way
doesn't mean clients
<br>
aren't
<br>
asking for it.
<br>
<br>
I think Windows clients ask for canonicalization by
default, and in
<br>
SSSD I
<br>
see we turn on by default krb5_canonicalize in the IPA
nd LDAP case
<br>
(oddly
<br>
enough not in the AD case ?)
<br>
<br>
So SSSD's authentication requests would end up hitting
this case all
<br>
the
<br>
time if I am reading the code correctly (CCed Jakub to
<br>
confirm/dispel this).
<br>
</blockquote>
<br>
We ask for canonicalization always in IPA and LDAP, but
also whenever
<br>
enterprise principals are used, which is true for AD
provider.
<br>
<br>
</blockquote>
<br>
Then SSSD will hit this every time it requests ticket on
behalf of
<br>
user.
<br>
But to be sure what the impact would be I've once again
set up FreeIPA
<br>
server with 10K users and run some tests.
<br>
<br>
1) 3 LDAP searches (caseIgnoreIA5Match, caseExactIA5Match,
without
<br>
specifying the matching rule).
<br>
Results (<a class="moz-txt-link-freetext" href="http://fpaste.org/275847/44221770/raw/">http://fpaste.org/275847/44221770/raw/</a>) shows
that unindexed
<br>
search takes ~100 times longer than indexed.
<br>
<br>
2) kinit with and without requested canonicalization.
<br>
<br>
As we use kinit to get the ticket it makes sense to check
what will
<br>
the performance hit be when we run kinit as a whole and
not just an
<br>
isolated LDAP search.
<br>
The results (<a class="moz-txt-link-freetext" href="http://fpaste.org/275848/21793144/raw/">http://fpaste.org/275848/21793144/raw/</a>) shows
that with
<br>
canonicalization it takes ~2 times longer than without it.
<br>
While this is nothing to be happy about it's certainly
better than I
<br>
would expect.
<br>
<br>
</blockquote>
Clearly we need to make the search indexed.
<br>
In your deployment you defined:
<br>
<br>
dn:
uid=user1000098,cn=users,cn=accounts,dc=example,dc=test
<br>
uid: user1000098
<br>
givenName: Test
<br>
sn: User1000098
<br>
cn: Test User1000098
<br>
initials: TU
<br>
homeDirectory: /home/user1000098
<br>
gecos: Test User1000098
<br>
loginShell: /bin/sh
<br>
mail: <a class="moz-txt-link-abbreviated" href="mailto:user1000098@example.test">user1000098@example.test</a>
<br>
uidNumber: 7611001000098
<br>
gidNumber: 7611001000098
<br>
displayName: Test User1000098
<br>
*krbPrincipalName: <a class="moz-txt-link-abbreviated" href="mailto:user1000098@EXAMPLE.TEST*">user1000098@EXAMPLE.TEST*</a>
<br>
*krbCanonicalName: <a class="moz-txt-link-abbreviated" href="mailto:user1000098@EXAMPLE.TEST*">user1000098@EXAMPLE.TEST*</a>
<br>
memberOf:
cn=ipausers,cn=groups,cn=accounts,dc=example,dc=test
<br>
objectClass: ipaobject
<br>
objectClass: person
<br>
objectClass: top
<br>
objectClass: ipasshuser
<br>
objectClass: inetorgperson
<br>
objectClass: organizationalperson
<br>
objectClass: krbticketpolicyaux
<br>
objectClass: krbprincipalaux
<br>
objectClass: inetuser
<br>
objectClass: posixaccount
<br>
objectClass: ipaSshGroupOfPubKeys
<br>
objectClass: mepOriginEntry
<br>
ipaUniqueID: 6048c4ac-6cdd-11e5-a0af-080027987dcb
<br>
mepManagedEntry:
<br>
cn=user1000098,cn=groups,cn=accounts,dc=example,dc=test
<br>
<br>
Would it be an option to create a new attribute,
'krbNonCanonicalName'
<br>
(containing the krbprincipal) but with a 'caseignoreIA5'
syntax ?
<br>
If this attribute is indexed, your lookup from a raw
principal would
<br>
user <a class="moz-txt-link-rfc2396E" href="mailto:(krbNonCanonicalname=user10000098@EXAMPLE.TEST)">"(krbNonCanonicalname=user10000098@EXAMPLE.TEST)"</a>
<br>
</blockquote>
<br>
It is not an option, no changing attributes, no changing
syntaxes, if
<br>
DS can't be fixed we'll need to adopt a completely different
strategy
<br>
we discussed already previously.
<br>
However it would be much nicer if we could fix DS to allow to
create
<br>
(and use) indexes for matching rules that are not defined in
the schema.
<br>
</blockquote>
Ok I understand... and agree. Let's investigate what's need to
be done
<br>
in DS :-)
<br>
<blockquote type="cite">
<br>
Simo.
<br>
<br>
</blockquote>
<br>
</blockquote>
<br>
Thierry is focused mainly on integration of 389 DS and FreeIPA.
Since this is a general 389 DS issue and it is not related
specifically to FreeIPA could we ask 389 DS upstream for a fix?
<br>
In general extensible matching never uses indices. I believe this
is severe enough to be considered major issue by upstream.
<br>
</blockquote>
<font face="Times New Roman, Times, serif">Hello David,<br>
<br>
</font>
<blockquote><font face="Times New Roman, Times, serif">There is an
upstream ticket tracking this issue
(<a class="moz-txt-link-freetext" href="https://fedorahosted.org/389/ticket/48270">https://fedorahosted.org/389/ticket/48270</a>). <br>
I started looking at it and discussing with DS team it requires
more investigation to determine the amount of work to do.<br>
So far it is planned that I will continue this investigation and
I expect to complete this evaluation next week.<br>
Now who will implement the fix, this is not decided yet.<br>
<br>
thanks<br>
thierry</font><br>
</blockquote>
</body>
</html>