[Freeipa-users] Replication flood caused by ipa_lockout plugin
Rob Crittenden
rcritten at redhat.com
Mon Feb 4 19:45:16 UTC 2013
Loris Santamaria wrote:
> Hi
>
> on a production IPA realm with 3 servers and about 2000 users we were
> experimenting a very high load on the servers. Further investigation
> showed that the high load was caused by a lot of writes done by the IPA
> dirsrv instance. Activating the audit logging showed a lot of MOD
> operation to the directory, like these:
>
> time: 20130204140217
> dn: uid=XXXX,cn=users,cn=accounts,dc=XXX,dc=XXX,dc=XX
> changetype: modify
> replace: modifiersName
> modifiersName: cn=IPA Lockout,cn=plugins,cn=config
> -
> replace: modifyTimestamp
> modifyTimestamp: 20130204183216Z
> -
> replace: entryusn
> entryusn: 3472506
> -
>
> time: 20130204140217
> dn: uid=XXXX,cn=users,cn=accounts,dc=XXX,dc=XXX,dc=XX
> changetype: modify
> replace: modifiersName
> modifiersName: cn=IPA Lockout,cn=plugins,cn=config
> -
> replace: modifyTimestamp
> modifyTimestamp: 20130204183217Z
> -
> replace: entryusn
> entryusn: 3472507
>
> There is an HTTP proxy server which connects to IPA to perform user
> authorization and it seems that it does a BIND on behalf of the user for
> every page the user visits... and for every successful BIND the IPA
> Lockout plugin does the MODs indicated above.
>
> It is to note that currently we are not locking accounts on failed
> authentication to the directory, so the above MODs seem completely
> unnecessary.
>
> For the time being we disabled the ipa lockout plugin, but we would like
> to know if the behavior highlighted above is expected or if we should
> file a bug.
Fixed in 389-ds-base 1.2.11. See bug
https://bugzilla.redhat.com/show_bug.cgi?id=782975
The commit is:
https://lists.fedoraproject.org/pipermail/389-commits/2012-May/005209.html
rob
More information about the Freeipa-users
mailing list