<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 10/07/2015 03:10 PM, David Kupka
wrote:<br>
</div>
<blockquote cite="mid:561519B8.1010206@redhat.com" type="cite">On
06/10/15 17:52, Jakub Hrozek wrote:
<br>
<blockquote type="cite">On Tue, Oct 06, 2015 at 08:32:29AM -0400,
Simo Sorce wrote:
<br>
<blockquote type="cite">On 06/10/15 08:04, David Kupka wrote:
<br>
<blockquote type="cite">On 06/10/15 13:35, Simo Sorce wrote:
<br>
<blockquote type="cite">On 06/10/15 03:51, thierry bordaz
wrote:
<br>
<blockquote type="cite">On 10/06/2015 07:19 AM, David
Kupka wrote:
<br>
<blockquote type="cite">On 05/10/15 16:12, Simo Sorce
wrote:
<br>
<blockquote type="cite">On 05/10/15 09:00, Martin
Babinsky wrote:
<br>
<blockquote type="cite">These patches implement the
plumbing required to properly support
<br>
canonicalization of Kerberos principals (
<br>
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/3864">https://fedorahosted.org/freeipa/ticket/3864</a>).
<br>
<br>
Setting multiple principal aliases on
hosts/services is beyond the
<br>
scope
<br>
of this patchset and should be done after these
patches are pushed.
<br>
<br>
I will try to send some tests for the patches
later this week.
<br>
<br>
Please review the hell out of them.
<br>
</blockquote>
<br>
LGTM, I do not see any issue at quick visual
inspection.
<br>
What about the performance regression with the
indexes ? Is that bug
<br>
fixed in 389ds ?
<br>
<br>
Simo.
<br>
<br>
<br>
</blockquote>
<br>
The issue is still there. Thierry investigated this in
389 DS and IIUC
<br>
he is not sure if it's bug or completely missing
feature. Therefore we
<br>
still don't know how much time is needed there.
<br>
<br>
</blockquote>
Hi,
<br>
that is correct.
<br>
I can reproduce the problem. Although the matching rule
(in my test
<br>
caseIgnoreIA5Match) is found, it has no registered
indexing function, so
<br>
the setting (nsMatchingRule) is ignored.
<br>
I do not know if the indexing function is missing or
there is a bug so
<br>
that the matching rule "forget" to register it.
<br>
This feature is documented but I can not find any QA
test around it, so
<br>
I do not know yet if it is a regression or if it was not
enabled at all.
<br>
<br>
I do not expect rapid progress on it. How urgent is it ?
7.3 ?
<br>
For the moment I can think to only two workarounds:
<br>
<br>
* use filtered matching rule (preferred)
<br>
* change the attribute syntax/matching rule, in the
schema (I would
<br>
discourage this one because changing the schema is
risky)
<br>
</blockquote>
<br>
We can't change the syntax at this point.
<br>
<br>
Well this patchset is blocked until the 389 ds bug is
fixed (the
<br>
performance regression is too big to just put it in and
hope) so I guess
<br>
we'll have to negotiate a time for the fix.
<br>
<br>
Simo.
<br>
<br>
</blockquote>
<br>
I agree that we really shouldn't change schema.
<br>
<br>
But I don't think the patches're necessary blocked by this
issue.
<br>
Canonicalization was never supported in FreeIPA and when it
is not
<br>
requested the performance is not effected at all. We could
merge patches
<br>
as soon as they're carefully reviewed and tested to avoid
tedious
<br>
rebasing and start using the new functionality when 389 DS
gets fixed.
<br>
</blockquote>
<br>
The fact we didn't do canonicalization this way doesn't mean
clients aren't
<br>
asking for it.
<br>
<br>
I think Windows clients ask for canonicalization by default,
and in SSSD I
<br>
see we turn on by default krb5_canonicalize in the IPA nd LDAP
case (oddly
<br>
enough not in the AD case ?)
<br>
<br>
So SSSD's authentication requests would end up hitting this
case all the
<br>
time if I am reading the code correctly (CCed Jakub to
confirm/dispel this).
<br>
</blockquote>
<br>
We ask for canonicalization always in IPA and LDAP, but also
whenever
<br>
enterprise principals are used, which is true for AD provider.
<br>
<br>
</blockquote>
<br>
Then SSSD will hit this every time it requests ticket on behalf of
user.
<br>
But to be sure what the impact would be I've once again set up
FreeIPA server with 10K users and run some tests.
<br>
<br>
1) 3 LDAP searches (caseIgnoreIA5Match, caseExactIA5Match, without
specifying the matching rule).
<br>
Results (<a class="moz-txt-link-freetext" href="http://fpaste.org/275847/44221770/raw/">http://fpaste.org/275847/44221770/raw/</a>) shows that
unindexed search takes ~100 times longer than indexed.
<br>
<br>
2) kinit with and without requested canonicalization.
<br>
<br>
As we use kinit to get the ticket it makes sense to check what
will the performance hit be when we run kinit as a whole and not
just an isolated LDAP search.
<br>
The results (<a class="moz-txt-link-freetext" href="http://fpaste.org/275848/21793144/raw/">http://fpaste.org/275848/21793144/raw/</a>) shows that
with canonicalization it takes ~2 times longer than without it.
<br>
While this is nothing to be happy about it's certainly better than
I would expect.
<br>
<br>
</blockquote>
<font face="Times New Roman, Times, serif">Clearly we need to make
the search indexed. </font><br>
<font face="Times New Roman, Times, serif">In your deployment you
defined:<br>
</font>
<blockquote><tt>dn:
uid=user1000098,cn=users,cn=accounts,dc=example,dc=test</tt><tt><br>
</tt><tt>uid: user1000098</tt><tt><br>
</tt><tt>givenName: Test</tt><tt><br>
</tt><tt>sn: User1000098</tt><tt><br>
</tt><tt>cn: Test User1000098</tt><tt><br>
</tt><tt>initials: TU</tt><tt><br>
</tt><tt>homeDirectory: /home/user1000098</tt><tt><br>
</tt><tt>gecos: Test User1000098</tt><tt><br>
</tt><tt>loginShell: /bin/sh</tt><tt><br>
</tt><tt>mail: <a class="moz-txt-link-abbreviated" href="mailto:user1000098@example.test">user1000098@example.test</a></tt><tt><br>
</tt><tt>uidNumber: 7611001000098</tt><tt><br>
</tt><tt>gidNumber: 7611001000098</tt><tt><br>
</tt><tt>displayName: Test User1000098</tt><tt><br>
</tt><tt><b>krbPrincipalName: <a class="moz-txt-link-abbreviated" href="mailto:user1000098@EXAMPLE.TEST">user1000098@EXAMPLE.TEST</a></b></tt><tt><br>
</tt><tt><b>krbCanonicalName: <a class="moz-txt-link-abbreviated" href="mailto:user1000098@EXAMPLE.TEST">user1000098@EXAMPLE.TEST</a></b></tt><tt><br>
</tt><tt>memberOf:
cn=ipausers,cn=groups,cn=accounts,dc=example,dc=test</tt><tt><br>
</tt><tt>objectClass: ipaobject</tt><tt><br>
</tt><tt>objectClass: person</tt><tt><br>
</tt><tt>objectClass: top</tt><tt><br>
</tt><tt>objectClass: ipasshuser</tt><tt><br>
</tt><tt>objectClass: inetorgperson</tt><tt><br>
</tt><tt>objectClass: organizationalperson</tt><tt><br>
</tt><tt>objectClass: krbticketpolicyaux</tt><tt><br>
</tt><tt>objectClass: krbprincipalaux</tt><tt><br>
</tt><tt>objectClass: inetuser</tt><tt><br>
</tt><tt>objectClass: posixaccount</tt><tt><br>
</tt><tt>objectClass: ipaSshGroupOfPubKeys</tt><tt><br>
</tt><tt>objectClass: mepOriginEntry</tt><tt><br>
</tt><tt>ipaUniqueID: 6048c4ac-6cdd-11e5-a0af-080027987dcb</tt><tt><br>
</tt><tt>mepManagedEntry:
cn=user1000098,cn=groups,cn=accounts,dc=example,dc=test</tt><br>
</blockquote>
<font face="Times New Roman, Times, serif">Would it be an option to
create a new attribute, 'krbNonCanonicalName' (containing the
krbprincipal) but with a 'caseignoreIA5' syntax ?<br>
If this attribute is indexed, your lookup from a raw principal
would user </font><tt><a class="moz-txt-link-rfc2396E" href="mailto:(krbNonCanonicalname=user10000098@EXAMPLE.TEST)">"(krbNonCanonicalname=user10000098@EXAMPLE.TEST)"</a><br>
<br>
thanks<br>
theirry<br>
</tt>
</body>
</html>