The original ldap driver we used up to 2.2 had 2 options admins could set to limit the amount of writes to the database on certain auditing related operations. In particular disable_last_success is really important to reduce the load on database servers.
I have implemented ticket #2734 with a little twist. Instead of adding local options in krb5.conf I create global options in the LDAP tree, so that all KDCs in the domain have the same configuration. The 2 new options can be set in ipaConfigString attribute of the cn=ipaConfig object under cn=etc,$SUFFIX These are: KDC:Disable Last Success KDC:Disable Lockout The first string if set will disable updating the krbLastSuccessfulAuth field in the service/user entry. The second one will prevent changing any of the Lockout related fields and will effectively disable lockout policies. I think we may want to set the first one by default in future. The last successful auth field is not very interesting in general and is cause for a lot of writes that pressure a lot the LDAP server and get replicated everywhere with a storm multiplier effect we'd like to avoid. The lockout one instead happen only when there are failed authentication attempt, this means it never happens when keytabs are used for example. And even with users it should happen rarely enough that traking lockouts by default make leaving these writes on by default is a good tradeoff. Note that simply setting the lockout policy to never lockout is *not* equivalent to setting KDC:Disable Lockout, as it does not prevent writes to the database. I've tested setting KDC:Disable Last Success and it effectively prevent MOD operation from showing up in the server access log. Any change to these configuration options requires a reconnection from the KDC to the LDAP server, the simplest way to cause that is to restart the KDC service. Simo. -- Simo Sorce * Red Hat, Inc * New York
>From 1bb57926c7156be7b731e4920ee202c3307e3fb6 Mon Sep 17 00:00:00 2001 From: Simo Sorce <sso...@redhat.com> Date: Wed, 23 May 2012 12:35:44 -0400 Subject: [PATCH] Add support for disabling KDC writes Add two global ipaConfig options to disable undesirable writes that have performance impact. The "KDC:Disable Last Success" will disable writing back to ldap the last successful AS Request time (successful kinit) The "KDC:Disable Lockout" will disable completely writing back lockout related data. This means lockout policies will stop working. --- API.txt | 2 +- daemons/ipa-kdb/ipa_kdb.c | 66 ++++++++++++++++++++++++++++++++++++ daemons/ipa-kdb/ipa_kdb.h | 2 + daemons/ipa-kdb/ipa_kdb_audit_as.c | 7 ++++ ipalib/plugins/config.py | 3 +- 5 files changed, 78 insertions(+), 2 deletions(-) diff --git a/API.txt b/API.txt index 82a6bc65c1e1936f94f4c29b58a34972237f4eb3..6559e8133a0a4a7b1cc005608bd65436d033a10d 100644 --- a/API.txt +++ b/API.txt @@ -459,7 +459,7 @@ option: Bool('ipamigrationenabled', attribute=True, autofill=False, cli_name='en option: Str('ipagroupobjectclasses', attribute=True, autofill=False, cli_name='groupobjectclasses', csv=True, multivalue=True, required=False) option: Str('ipauserobjectclasses', attribute=True, autofill=False, cli_name='userobjectclasses', csv=True, multivalue=True, required=False) option: Int('ipapwdexpadvnotify', attribute=True, autofill=False, cli_name='pwdexpnotify', minvalue=0, multivalue=False, required=False) -option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowLMhash', u'AllowNThash')) +option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowLMhash', u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout')) option: Str('ipaselinuxusermaporder', attribute=True, autofill=False, cli_name='ipaselinuxusermaporder', multivalue=False, required=False) option: Str('ipaselinuxusermapdefault', attribute=True, autofill=False, cli_name='ipaselinuxusermapdefault', multivalue=False, required=False) option: Str('setattr*', cli_name='setattr', exclude='webui') diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c index ed87d6fef246ca4566ba87af40d2e41fd20f757f..3527cefa10df67d3f17c730ab4483410c736a44f 100644 --- a/daemons/ipa-kdb/ipa_kdb.c +++ b/daemons/ipa-kdb/ipa_kdb.c @@ -159,6 +159,65 @@ done: return base; } +int ipadb_get_global_configs(struct ipadb_context *ipactx) +{ + char *attrs[] = { "ipaConfigString", NULL }; + struct berval **vals = NULL; + LDAPMessage *res = NULL; + LDAPMessage *first; + char *base = NULL; + int i; + int ret; + + ret = asprintf(&base, "cn=ipaConfig,cn=etc,%s", ipactx->base); + if (ret == -1) { + ret = ENOMEM; + goto done; + } + + ret = ipadb_simple_search(ipactx, base, LDAP_SCOPE_BASE, + "(objectclass=*)", attrs, &res); + if (ret) { + goto done; + } + + first = ldap_first_entry(ipactx->lcontext, res); + if (!first) { + /* no results, set nothing */ + ret = 0; + goto done; + } + + vals = ldap_get_values_len(ipactx->lcontext, first, + "ipaConfigString"); + if (!vals || !vals[0]) { + /* no config, set nothing */ + ret = 0; + goto done; + } + + for (i = 0; vals[i]; i++) { + if (strncasecmp("KDC:Disable Last Success", + vals[i]->bv_val, vals[i]->bv_len) == 0) { + ipactx->disable_last_success = true; + continue; + } + if (strncasecmp("KDC:Disable Lockout", + vals[i]->bv_val, vals[i]->bv_len) == 0) { + ipactx->disable_lockout = true; + continue; + } + } + + ret = 0; + +done: + ldap_value_free_len(vals); + ldap_msgfree(res); + free(base); + return ret; +} + int ipadb_get_connection(struct ipadb_context *ipactx) { struct berval **vals = NULL; @@ -259,6 +318,13 @@ int ipadb_get_connection(struct ipadb_context *ipactx) ipactx->supp_encs = kst; ipactx->n_supp_encs = n_kst; + /* get additional options */ + ret = ipadb_get_global_configs(ipactx); + if (ret) { + goto done; + } + + /* get adtrust options */ ret = ipadb_reinit_mspac(ipactx); if (ret && ret != ENOENT) { /* TODO: log that there is an issue with adtrust settings */ diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h index 996d8448b091f0c37c28eedad31c4f310ad9dccb..c1cc7a7d8ecdf86b10606233078abbb8685f6750 100644 --- a/daemons/ipa-kdb/ipa_kdb.h +++ b/daemons/ipa-kdb/ipa_kdb.h @@ -92,6 +92,8 @@ struct ipadb_context { krb5_key_salt_tuple *supp_encs; int n_supp_encs; struct ipadb_wincompat wc; + bool disable_last_success; + bool disable_lockout; }; #define IPA_E_DATA_MAGIC 0x0eda7a diff --git a/daemons/ipa-kdb/ipa_kdb_audit_as.c b/daemons/ipa-kdb/ipa_kdb_audit_as.c index 64af8b2f9e8d8ab9d2828014b5ce214704ab3e46..7596db0fae165efd21e7c24f9af97a200e99e624 100644 --- a/daemons/ipa-kdb/ipa_kdb_audit_as.c +++ b/daemons/ipa-kdb/ipa_kdb_audit_as.c @@ -72,6 +72,9 @@ void ipadb_audit_as_req(krb5_context kcontext, client->fail_auth_count = 0; client->mask |= KMASK_FAIL_AUTH_COUNT; } + if (ipactx->disable_last_success) { + break; + } client->last_success = authtime; client->mask |= KMASK_LAST_SUCCESS; } @@ -80,6 +83,10 @@ void ipadb_audit_as_req(krb5_context kcontext, case KRB5KDC_ERR_PREAUTH_FAILED: case KRB5KRB_AP_ERR_BAD_INTEGRITY: + if (ipactx->disable_lockout) { + break; + } + if (client->last_failed <= ied->last_admin_unlock) { /* Reset fail_auth_count, and admin unlocked the account */ client->fail_auth_count = 0; diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py index 30f26addf1162f2b6d7febe76853f894a560ef60..c8230e23a779163bca447594206a65b6062d4b37 100644 --- a/ipalib/plugins/config.py +++ b/ipalib/plugins/config.py @@ -177,7 +177,8 @@ class config(LDAPObject): cli_name='ipaconfigstring', label=_('Password plugin features'), doc=_('Extra hashes to generate in password plug-in'), - values=(u'AllowLMhash', u'AllowNThash'), + values=(u'AllowLMhash', u'AllowNThash', + u'KDC:Disable Last Success', u'KDC:Disable Lockout'), csv=True, ), Str('ipaselinuxusermaporder', -- 1.7.7.6
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel