On Wed, 2014-02-26 at 12:39 +0100, Martin Kosek wrote: > On 02/26/2014 09:33 AM, Alexander Bokovoy wrote: > > On Wed, 26 Feb 2014, Martin Kosek wrote: > >> On 02/25/2014 07:59 PM, Simo Sorce wrote: > >>> On Tue, 2014-02-25 at 20:58 +0200, Alexander Bokovoy wrote: > >>>> Resending patch 0138 together with another case Simo found out today: > >>>> when authdata flag is cleared by admin for the service principal, we'll > >>>> get NULL client database entry. In such case we have to bail out. > >>> > >>> The patches look correct code-flow-wise to me. > >>> > >>> So tentative ack pending testing. > >>> > >>> Simo. > >>> > >> > >> Just checking - are we ok performance wise? If we for example add one > >> additional LDAP search for every Kerberos authentication, it may increase > >> the > >> load on our LDAP server. > > One additional LDAP query per S4U2Proxy ticket issuing. It is not much > > and it has to be done because current code does it wrongly for MS-PAC. > > > > It is worth noting that issuing tickets should be relatively rare > > operation -- with sessions in IPA server we don't hit HTTP/->ldap/ > > service ticket granting in S4U2Proxy case more than once. > > 'ipa trust-add' case is a bit more specific but you rarely establish > > trusts every second of the day, aren't you? > > > > For normal operations it wouldn't affect anything beyond statistical > > noise level. > > > > If this only hits web management of FreeIPA (i.e. S4U2 proxy scenario) and the > usual SSSD operations, then I have no concerns here.
Yes, this is a relatively rare event for now. But even if it weren't there is no work around for now. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel