Simo Sorce wrote:
The original ldap driver we used up to 2.2 had 2 options admins could
set to limit the amount of writes to the database on certain auditing
related operations.
In particular disable_last_success is really important to reduce the
load on database servers.

I have implemented ticket #2734 with a little twist. Instead of adding
local options in krb5.conf I create global options in the LDAP tree, so
that all KDCs in the domain have the same configuration.

The 2 new options can be set in ipaConfigString attribute of the
cn=ipaConfig object under cn=etc,$SUFFIX

These are:
KDC:Disable Last Success
KDC:Disable Lockout

The first string if set will disable updating the krbLastSuccessfulAuth
field in the service/user entry.
The second one will prevent changing any of the Lockout related fields
and will effectively disable lockout policies.

I think we may want to set the first one by default in future.
The last successful auth field is not very interesting in general and is
cause for a lot of writes that pressure a lot the LDAP server and get
replicated everywhere with a storm multiplier effect we'd like to avoid.

The lockout one instead happen only when there are failed authentication
attempt, this means it never happens when keytabs are used for example.
And even with users it should happen rarely enough that traking lockouts
by default make leaving these writes on by default is a good tradeoff.

Note that simply setting the lockout policy to never lockout is *not*
equivalent to setting KDC:Disable Lockout, as it does not prevent writes
to the database.

I've tested setting KDC:Disable Last Success and it effectively prevent
MOD operation from showing up in the server access log.

Any change to these configuration options requires a reconnection from
the KDC to the LDAP server, the simplest way to cause that is to restart
the KDC service.


In ipadb_get_global_configs() should there be a call to LOG_OOM()?

Also, if ipadb_simple_search() or ipadb_get_global_configs() fails should we log the result code when non-zero?


Freeipa-devel mailing list

Reply via email to