[Freeipa-devel] [PATCH] 492 Add options to reduce writes from KDC

Simo Sorce simo at redhat.com
Tue Jun 5 12:16:11 UTC 2012 

On Mon, 2012-06-04 at 22:59 -0400, Rob Crittenden wrote:
> Simo Sorce wrote:
> > The original ldap driver we used up to 2.2 had 2 options admins could
> > set to limit the amount of writes to the database on certain auditing
> > related operations.
> > In particular disable_last_success is really important to reduce the
> > load on database servers.
> >
> > I have implemented ticket #2734 with a little twist. Instead of adding
> > local options in krb5.conf I create global options in the LDAP tree, so
> > that all KDCs in the domain have the same configuration.
> >
> > The 2 new options can be set in ipaConfigString attribute of the
> > cn=ipaConfig object under cn=etc,$SUFFIX
> >
> > These are:
> > KDC:Disable Last Success
> > KDC:Disable Lockout
> >
> > The first string if set will disable updating the krbLastSuccessfulAuth
> > field in the service/user entry.
> > The second one will prevent changing any of the Lockout related fields
> > and will effectively disable lockout policies.
> >
> > I think we may want to set the first one by default in future.
> > The last successful auth field is not very interesting in general and is
> > cause for a lot of writes that pressure a lot the LDAP server and get
> > replicated everywhere with a storm multiplier effect we'd like to avoid.
> >
> > The lockout one instead happen only when there are failed authentication
> > attempt, this means it never happens when keytabs are used for example.
> > And even with users it should happen rarely enough that traking lockouts
> > by default make leaving these writes on by default is a good tradeoff.
> >
> > Note that simply setting the lockout policy to never lockout is *not*
> > equivalent to setting KDC:Disable Lockout, as it does not prevent writes
> > to the database.
> >
> > I've tested setting KDC:Disable Last Success and it effectively prevent
> > MOD operation from showing up in the server access log.
> >
> > Any change to these configuration options requires a reconnection from
> > the KDC to the LDAP server, the simplest way to cause that is to restart
> > the KDC service.
> >
> > Simo.
> 
> In ipadb_get_global_configs() should there be a call to LOG_OOM()?
> 
> Also, if ipadb_simple_search() or ipadb_get_global_configs() fails 
> should we log the result code when non-zero?

Well this code runs in the KDC, not in DIRSRV so LOG_OOM() wouldn't
work.
Perhaps we should add KDC_LOG() macros, but that would be a separate
task imo.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list