On 05/26/2012 12:36 AM, Simo Sorce wrote:
The original ldap driver we used up to 2.2 had 2 options admins could
set to limit the amount of writes to the database on certain auditing
related operations.
In particular disable_last_success is really important to reduce the
load on database servers.

I have implemented ticket #2734 with a little twist. Instead of adding
local options in krb5.conf I create global options in the LDAP tree, so
that all KDCs in the domain have the same configuration.

The 2 new options can be set in ipaConfigString attribute of the
cn=ipaConfig object under cn=etc,$SUFFIX

These are:
KDC:Disable Last Success
KDC:Disable Lockout



Attaching patch which adds these two new configuration values to Web UI.

Petr Vobornik
From 48c809ac12568958982ac3f3142761aabc2b71a1 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvobo...@redhat.com>
Date: Wed, 6 Jun 2012 13:00:44 +0200
Subject: [PATCH] Update of serverconfig ipaconfigstring options

Patch "Add options to reduce writes from KDC" adds two more possible values to config plugins ipaconfigstring configuration options.

These are:
 * KDC:Disable Last Success
 * KDC:Disable Lockout

This patch adds them to Web UI

 install/ui/serverconfig.js |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/install/ui/serverconfig.js b/install/ui/serverconfig.js
index 2b9be6edeeb93fbbeff6bbb78a95afeccaa7d428..3e61f650992128198f0343808e711ce356581edc 100644
--- a/install/ui/serverconfig.js
+++ b/install/ui/serverconfig.js
@@ -62,7 +62,10 @@ IPA.config.entity = function(spec) {
                             name: 'ipaconfigstring',
                             type: 'checkboxes',
-                            options: IPA.create_options(['AllowLMhash','AllowNThash'])
+                            options: IPA.create_options([
+                                'AllowLMhash', 'AllowNThash',
+                                'KDC:Disable Last Success', 'KDC:Disable Lockout'
+                            ])
                             type: 'checkbox',

Freeipa-devel mailing list

Reply via email to