On 07/10/15 17:32, thierry bordaz wrote:
On 10/07/2015 05:29 PM, Simo Sorce wrote:
On 07/10/15 11:06, thierry bordaz wrote:
On 10/07/2015 03:10 PM, David Kupka wrote:
On 06/10/15 17:52, Jakub Hrozek wrote:
On Tue, Oct 06, 2015 at 08:32:29AM -0400, Simo Sorce wrote:
On 06/10/15 08:04, David Kupka wrote:
On 06/10/15 13:35, Simo Sorce wrote:
On 06/10/15 03:51, thierry bordaz wrote:
On 10/06/2015 07:19 AM, David Kupka wrote:
On 05/10/15 16:12, Simo Sorce wrote:
On 05/10/15 09:00, Martin Babinsky wrote:
These patches implement the plumbing required to properly
support
canonicalization of Kerberos principals (
https://fedorahosted.org/freeipa/ticket/3864).
Setting multiple principal aliases on hosts/services is beyond
the
scope
of this patchset and should be done after these patches are
pushed.
I will try to send some tests for the patches later this week.
Please review the hell out of them.
LGTM, I do not see any issue at quick visual inspection.
What about the performance regression with the indexes ? Is
that bug
fixed in 389ds ?
Simo.
The issue is still there. Thierry investigated this in 389 DS
and IIUC
he is not sure if it's bug or completely missing feature.
Therefore we
still don't know how much time is needed there.
Hi,
that is correct.
I can reproduce the problem. Although the matching rule (in my
test
caseIgnoreIA5Match) is found, it has no registered indexing
function, so
the setting (nsMatchingRule) is ignored.
I do not know if the indexing function is missing or there is a
bug so
that the matching rule "forget" to register it.
This feature is documented but I can not find any QA test around
it, so
I do not know yet if it is a regression or if it was not enabled
at all.
I do not expect rapid progress on it. How urgent is it ? 7.3 ?
For the moment I can think to only two workarounds:
* use filtered matching rule (preferred)
* change the attribute syntax/matching rule, in the schema (I
would
discourage this one because changing the schema is risky)
We can't change the syntax at this point.
Well this patchset is blocked until the 389 ds bug is fixed (the
performance regression is too big to just put it in and hope) so I
guess
we'll have to negotiate a time for the fix.
Simo.
I agree that we really shouldn't change schema.
But I don't think the patches're necessary blocked by this issue.
Canonicalization was never supported in FreeIPA and when it is not
requested the performance is not effected at all. We could merge
patches
as soon as they're carefully reviewed and tested to avoid tedious
rebasing and start using the new functionality when 389 DS gets
fixed.
The fact we didn't do canonicalization this way doesn't mean clients
aren't
asking for it.
I think Windows clients ask for canonicalization by default, and in
SSSD I
see we turn on by default krb5_canonicalize in the IPA nd LDAP case
(oddly
enough not in the AD case ?)
So SSSD's authentication requests would end up hitting this case all
the
time if I am reading the code correctly (CCed Jakub to
confirm/dispel this).
We ask for canonicalization always in IPA and LDAP, but also whenever
enterprise principals are used, which is true for AD provider.
Then SSSD will hit this every time it requests ticket on behalf of
user.
But to be sure what the impact would be I've once again set up FreeIPA
server with 10K users and run some tests.
1) 3 LDAP searches (caseIgnoreIA5Match, caseExactIA5Match, without
specifying the matching rule).
Results (http://fpaste.org/275847/44221770/raw/) shows that unindexed
search takes ~100 times longer than indexed.
2) kinit with and without requested canonicalization.
As we use kinit to get the ticket it makes sense to check what will
the performance hit be when we run kinit as a whole and not just an
isolated LDAP search.
The results (http://fpaste.org/275848/21793144/raw/) shows that with
canonicalization it takes ~2 times longer than without it.
While this is nothing to be happy about it's certainly better than I
would expect.
Clearly we need to make the search indexed.
In your deployment you defined:
dn: uid=user1000098,cn=users,cn=accounts,dc=example,dc=test
uid: user1000098
givenName: Test
sn: User1000098
cn: Test User1000098
initials: TU
homeDirectory: /home/user1000098
gecos: Test User1000098
loginShell: /bin/sh
mail: user1000...@example.test
uidNumber: 7611001000098
gidNumber: 7611001000098
displayName: Test User1000098
*krbPrincipalName: user1000...@example.test*
*krbCanonicalName: user1000...@example.test*
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=test
objectClass: ipaobject
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: inetuser
objectClass: posixaccount
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
ipaUniqueID: 6048c4ac-6cdd-11e5-a0af-080027987dcb
mepManagedEntry:
cn=user1000098,cn=groups,cn=accounts,dc=example,dc=test
Would it be an option to create a new attribute, 'krbNonCanonicalName'
(containing the krbprincipal) but with a 'caseignoreIA5' syntax ?
If this attribute is indexed, your lookup from a raw principal would
user "(krbNonCanonicalname=user10000...@example.test)"
It is not an option, no changing attributes, no changing syntaxes, if
DS can't be fixed we'll need to adopt a completely different strategy
we discussed already previously.
However it would be much nicer if we could fix DS to allow to create
(and use) indexes for matching rules that are not defined in the schema.
Ok I understand... and agree. Let's investigate what's need to be done
in DS :-)
Simo.
Thierry is focused mainly on integration of 389 DS and FreeIPA. Since
this is a general 389 DS issue and it is not related specifically to
FreeIPA could we ask 389 DS upstream for a fix?
In general extensible matching never uses indices. I believe this is
severe enough to be considered major issue by upstream.
--
David Kupka
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
