On Fri, 2012-05-25 at 18:36 -0400, Simo Sorce wrote:
> The original ldap driver we used up to 2.2 had 2 options admins could
> set to limit the amount of writes to the database on certain auditing
> related operations.
> In particular disable_last_success is really important to reduce the
> load on database servers.
> 
> I have implemented ticket #2734 with a little twist. Instead of adding
> local options in krb5.conf I create global options in the LDAP tree, so
> that all KDCs in the domain have the same configuration.
> 
> The 2 new options can be set in ipaConfigString attribute of the
> cn=ipaConfig object under cn=etc,$SUFFIX
> 
> These are:
> KDC:Disable Last Success
> KDC:Disable Lockout
> 
> The first string if set will disable updating the krbLastSuccessfulAuth
> field in the service/user entry.
> The second one will prevent changing any of the Lockout related fields
> and will effectively disable lockout policies.
> 
> I think we may want to set the first one by default in future.
> The last successful auth field is not very interesting in general and is
> cause for a lot of writes that pressure a lot the LDAP server and get
> replicated everywhere with a storm multiplier effect we'd like to avoid.
> 
> The lockout one instead happen only when there are failed authentication
> attempt, this means it never happens when keytabs are used for example.
> And even with users it should happen rarely enough that traking lockouts
> by default make leaving these writes on by default is a good tradeoff.
> 
> Note that simply setting the lockout policy to never lockout is *not*
> equivalent to setting KDC:Disable Lockout, as it does not prevent writes
> to the database.
> 
> I've tested setting KDC:Disable Last Success and it effectively prevent
> MOD operation from showing up in the server access log.
> 
> Any change to these configuration options requires a reconnection from
> the KDC to the LDAP server, the simplest way to cause that is to restart
> the KDC service.

Attached also rebased patch that cleanly applies on top of 2.2.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
>From d6dd19c2741cd6d611446c0f370751062fd44803 Mon Sep 17 00:00:00 2001
From: Simo Sorce <sso...@redhat.com>
Date: Wed, 23 May 2012 12:35:44 -0400
Subject: [PATCH] Add support for disabling KDC writes

Add two global ipaConfig options to disable undesirable writes that have
performance impact.
The "KDC:Disable Last Success" will disable writing back to ldap the last
successful AS Request time (successful kinit)
The "KDC:Disable Lockout" will disable completely writing back lockout
related data. This means lockout policies will stop working.
---
 API.txt                            |    2 +-
 daemons/ipa-kdb/ipa_kdb.c          |   66 ++++++++++++++++++++++++++++++++++++
 daemons/ipa-kdb/ipa_kdb.h          |    2 +
 daemons/ipa-kdb/ipa_kdb_audit_as.c |    7 ++++
 ipalib/plugins/config.py           |    3 +-
 5 files changed, 78 insertions(+), 2 deletions(-)

diff --git a/API.txt b/API.txt
index 71241b4cc40e14c600127d1087092abf098eb40c..1d34400981a0053a59d13115f7d2c5ad317579fa 100644
--- a/API.txt
+++ b/API.txt
@@ -459,7 +459,7 @@ option: Bool('ipamigrationenabled', attribute=True, autofill=False, cli_name='en
 option: Str('ipagroupobjectclasses', attribute=True, autofill=False, cli_name='groupobjectclasses', csv=True, multivalue=True, required=False)
 option: Str('ipauserobjectclasses', attribute=True, autofill=False, cli_name='userobjectclasses', csv=True, multivalue=True, required=False)
 option: Int('ipapwdexpadvnotify', attribute=True, autofill=False, cli_name='pwdexpnotify', minvalue=0, multivalue=False, required=False)
-option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowLMhash', u'AllowNThash'))
+option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowLMhash', u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout'))
 option: Str('ipaselinuxusermaporder', attribute=True, autofill=False, cli_name='ipaselinuxusermaporder', multivalue=False, required=False)
 option: Str('ipaselinuxusermapdefault', attribute=True, autofill=False, cli_name='ipaselinuxusermapdefault', multivalue=False, required=False)
 option: Str('setattr*', cli_name='setattr', exclude='webui')
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index 4c1fdfc06ed7119991d98656d3727abc187f1048..d33b3dd724872f469c0833322d739975a7424d28 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -159,6 +159,65 @@ done:
     return base;
 }
 
+int ipadb_get_global_configs(struct ipadb_context *ipactx)
+{
+    char *attrs[] = { "ipaConfigString", NULL };
+    struct berval **vals = NULL;
+    LDAPMessage *res = NULL;
+    LDAPMessage *first;
+    char *base = NULL;
+    int i;
+    int ret;
+
+    ret = asprintf(&base, "cn=ipaConfig,cn=etc,%s", ipactx->base);
+    if (ret == -1) {
+        ret = ENOMEM;
+        goto done;
+    }
+
+    ret = ipadb_simple_search(ipactx, base, LDAP_SCOPE_BASE,
+                              "(objectclass=*)", attrs, &res);
+    if (ret) {
+        goto done;
+    }
+
+    first = ldap_first_entry(ipactx->lcontext, res);
+    if (!first) {
+        /* no results, set nothing */
+        ret = 0;
+        goto done;
+    }
+
+    vals = ldap_get_values_len(ipactx->lcontext, first,
+                               "ipaConfigString");
+    if (!vals || !vals[0]) {
+        /* no config, set nothing */
+        ret = 0;
+        goto done;
+    }
+
+    for (i = 0; vals[i]; i++) {
+        if (strncasecmp("KDC:Disable Last Success",
+                        vals[i]->bv_val, vals[i]->bv_len) == 0) {
+            ipactx->disable_last_success = true;
+            continue;
+        }
+        if (strncasecmp("KDC:Disable Lockout",
+                        vals[i]->bv_val, vals[i]->bv_len) == 0) {
+            ipactx->disable_lockout = true;
+            continue;
+        }
+    }
+
+    ret = 0;
+
+done:
+    ldap_value_free_len(vals);
+    ldap_msgfree(res);
+    free(base);
+    return ret;
+}
+
 int ipadb_get_connection(struct ipadb_context *ipactx)
 {
     struct berval **vals = NULL;
@@ -259,7 +318,14 @@ int ipadb_get_connection(struct ipadb_context *ipactx)
     ipactx->supp_encs = kst;
     ipactx->n_supp_encs = n_kst;
 
+    /* get additional options */
+    ret = ipadb_get_global_configs(ipactx);
+    if (ret) {
+        goto done;
+    }
+
 #if 0
+    /* get adtrust options */
     ret = ipadb_reinit_mspac(ipactx);
     if (ret && ret != ENOENT) {
         /* TODO: log that there is an issue with adtrust settings */
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 9330a2e082fa75464690eb83acfc6cde5c39871e..b8d475327886602ba3e189277aca62075f41917d 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -92,6 +92,8 @@ struct ipadb_context {
     krb5_key_salt_tuple *supp_encs;
     int n_supp_encs;
     struct ipadb_wincompat wc;
+    bool disable_last_success;
+    bool disable_lockout;
 };
 
 #define IPA_E_DATA_MAGIC 0x0eda7a
diff --git a/daemons/ipa-kdb/ipa_kdb_audit_as.c b/daemons/ipa-kdb/ipa_kdb_audit_as.c
index 64af8b2f9e8d8ab9d2828014b5ce214704ab3e46..7596db0fae165efd21e7c24f9af97a200e99e624 100644
--- a/daemons/ipa-kdb/ipa_kdb_audit_as.c
+++ b/daemons/ipa-kdb/ipa_kdb_audit_as.c
@@ -72,6 +72,9 @@ void ipadb_audit_as_req(krb5_context kcontext,
                 client->fail_auth_count = 0;
                 client->mask |= KMASK_FAIL_AUTH_COUNT;
             }
+            if (ipactx->disable_last_success) {
+                break;
+            }
             client->last_success = authtime;
             client->mask |= KMASK_LAST_SUCCESS;
         }
@@ -80,6 +83,10 @@ void ipadb_audit_as_req(krb5_context kcontext,
     case KRB5KDC_ERR_PREAUTH_FAILED:
     case KRB5KRB_AP_ERR_BAD_INTEGRITY:
 
+        if (ipactx->disable_lockout) {
+            break;
+        }
+
         if (client->last_failed <= ied->last_admin_unlock) {
             /* Reset fail_auth_count, and admin unlocked the account */
             client->fail_auth_count = 0;
diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index df960f4c0117e453ffb79ae7469476b5ff234f0d..aa929537862fe9a2336e840f2784337feee60d56 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -177,7 +177,8 @@ class config(LDAPObject):
             cli_name='ipaconfigstring',
             label=_('Password plugin features'),
             doc=_('Extra hashes to generate in password plug-in'),
-            values=(u'AllowLMhash', u'AllowNThash'),
+            values=(u'AllowLMhash', u'AllowNThash',
+                    u'KDC:Disable Last Success', u'KDC:Disable Lockout'),
             csv=True,
         ),
         Str('ipaselinuxusermaporder',
-- 
1.7.7.6

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to