[Freeipa-devel] [PATCH] 492 Add options to reduce writes from KDC

JR Aquino JR.Aquino at citrix.com
Thu May 31 21:52:05 UTC 2012 

On May 29, 2012, at 1:32 PM, Simo Sorce wrote:

> On Fri, 2012-05-25 at 18:36 -0400, Simo Sorce wrote:
>> The original ldap driver we used up to 2.2 had 2 options admins could
>> set to limit the amount of writes to the database on certain auditing
>> related operations.
>> In particular disable_last_success is really important to reduce the
>> load on database servers.
>> 
>> I have implemented ticket #2734 with a little twist. Instead of adding
>> local options in krb5.conf I create global options in the LDAP tree, so
>> that all KDCs in the domain have the same configuration.
>> 
>> The 2 new options can be set in ipaConfigString attribute of the
>> cn=ipaConfig object under cn=etc,$SUFFIX
>> 
>> These are:
>> KDC:Disable Last Success
>> KDC:Disable Lockout
>> 
>> The first string if set will disable updating the krbLastSuccessfulAuth
>> field in the service/user entry.
>> The second one will prevent changing any of the Lockout related fields
>> and will effectively disable lockout policies.
>> 
>> I think we may want to set the first one by default in future.
>> The last successful auth field is not very interesting in general and is
>> cause for a lot of writes that pressure a lot the LDAP server and get
>> replicated everywhere with a storm multiplier effect we'd like to avoid.
>> 
>> The lockout one instead happen only when there are failed authentication
>> attempt, this means it never happens when keytabs are used for example.
>> And even with users it should happen rarely enough that traking lockouts
>> by default make leaving these writes on by default is a good tradeoff.
>> 
>> Note that simply setting the lockout policy to never lockout is *not*
>> equivalent to setting KDC:Disable Lockout, as it does not prevent writes
>> to the database.
>> 
>> I've tested setting KDC:Disable Last Success and it effectively prevent
>> MOD operation from showing up in the server access log.
>> 
>> Any change to these configuration options requires a reconnection from
>> the KDC to the LDAP server, the simplest way to cause that is to restart
>> the KDC service.
> 
> Attached also rebased patch that cleanly applies on top of 2.2.
> 
> Simo.
> 
> -- 
> Simo Sorce * Red Hat, Inc * New York
> <freeipa-2.2-simo-492-1-Add-support-for-disabling-KDC-writes.patch>_______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel


ACK

This patch and " KDC:Disable Last Success" brought the writes and replications down by an order of a magnitude!

More information about the Freeipa-devel mailing list