On Mon, 2012-06-04 at 22:59 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > The original ldap driver we used up to 2.2 had 2 options admins could > > set to limit the amount of writes to the database on certain auditing > > related operations. > > In particular disable_last_success is really important to reduce the > > load on database servers. > > > > I have implemented ticket #2734 with a little twist. Instead of adding > > local options in krb5.conf I create global options in the LDAP tree, so > > that all KDCs in the domain have the same configuration. > > > > The 2 new options can be set in ipaConfigString attribute of the > > cn=ipaConfig object under cn=etc,$SUFFIX > > > > These are: > > KDC:Disable Last Success > > KDC:Disable Lockout > > > > The first string if set will disable updating the krbLastSuccessfulAuth > > field in the service/user entry. > > The second one will prevent changing any of the Lockout related fields > > and will effectively disable lockout policies. > > > > I think we may want to set the first one by default in future. > > The last successful auth field is not very interesting in general and is > > cause for a lot of writes that pressure a lot the LDAP server and get > > replicated everywhere with a storm multiplier effect we'd like to avoid. > > > > The lockout one instead happen only when there are failed authentication > > attempt, this means it never happens when keytabs are used for example. > > And even with users it should happen rarely enough that traking lockouts > > by default make leaving these writes on by default is a good tradeoff. > > > > Note that simply setting the lockout policy to never lockout is *not* > > equivalent to setting KDC:Disable Lockout, as it does not prevent writes > > to the database. > > > > I've tested setting KDC:Disable Last Success and it effectively prevent > > MOD operation from showing up in the server access log. > > > > Any change to these configuration options requires a reconnection from > > the KDC to the LDAP server, the simplest way to cause that is to restart > > the KDC service. > > > > Simo. > > In ipadb_get_global_configs() should there be a call to LOG_OOM()? > > Also, if ipadb_simple_search() or ipadb_get_global_configs() fails > should we log the result code when non-zero?
Well this code runs in the KDC, not in DIRSRV so LOG_OOM() wouldn't work. Perhaps we should add KDC_LOG() macros, but that would be a separate task imo. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-devel