[Freeipa-users] Replication flood caused by ipa_lockout plugin

Loris Santamaria loris at lgs.com.ve
Mon Feb 4 19:23:20 UTC 2013 

Hi

on a production IPA realm with 3 servers and about 2000 users we were
experimenting a very high load on the servers. Further investigation
showed that the high load was caused by a lot of writes done by the IPA
dirsrv instance. Activating the audit logging showed a lot of MOD
operation to the directory, like these:

time: 20130204140217
dn: uid=XXXX,cn=users,cn=accounts,dc=XXX,dc=XXX,dc=XX
changetype: modify
replace: modifiersName
modifiersName: cn=IPA Lockout,cn=plugins,cn=config
-
replace: modifyTimestamp
modifyTimestamp: 20130204183216Z
-
replace: entryusn
entryusn: 3472506
-

time: 20130204140217
dn: uid=XXXX,cn=users,cn=accounts,dc=XXX,dc=XXX,dc=XX
changetype: modify
replace: modifiersName
modifiersName: cn=IPA Lockout,cn=plugins,cn=config
-
replace: modifyTimestamp
modifyTimestamp: 20130204183217Z
-
replace: entryusn
entryusn: 3472507

There is an HTTP proxy server which connects to IPA to perform user
authorization and it seems that it does a BIND on behalf of the user for
every page the user visits... and for every successful BIND the IPA
Lockout plugin does the MODs indicated above.

It is to note that currently we are not locking accounts on failed
authentication to the directory, so the above MODs seem completely
unnecessary.

For the time being we disabled the ipa lockout plugin, but we would like
to know if the behavior highlighted above is expected or if we should
file a bug.

Thanks
-- 
Loris Santamaria   linux user #70506   xmpp:loris at lgs.com.ve
Links Global Services, C.A.            http://www.lgs.com.ve
Tel: 0286 952.06.87  Cel: 0414 095.00.10  sip:103 at lgs.com.ve
------------------------------------------------------------
"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6173 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130204/99e50238/attachment.bin>

More information about the Freeipa-users mailing list