Hi

on a production IPA realm with 3 servers and about 2000 users we were
experimenting a very high load on the servers. Further investigation
showed that the high load was caused by a lot of writes done by the IPA
dirsrv instance. Activating the audit logging showed a lot of MOD
operation to the directory, like these:

time: 20130204140217
dn: uid=XXXX,cn=users,cn=accounts,dc=XXX,dc=XXX,dc=XX
changetype: modify
replace: modifiersName
modifiersName: cn=IPA Lockout,cn=plugins,cn=config
-
replace: modifyTimestamp
modifyTimestamp: 20130204183216Z
-
replace: entryusn
entryusn: 3472506
-

time: 20130204140217
dn: uid=XXXX,cn=users,cn=accounts,dc=XXX,dc=XXX,dc=XX
changetype: modify
replace: modifiersName
modifiersName: cn=IPA Lockout,cn=plugins,cn=config
-
replace: modifyTimestamp
modifyTimestamp: 20130204183217Z
-
replace: entryusn
entryusn: 3472507

There is an HTTP proxy server which connects to IPA to perform user
authorization and it seems that it does a BIND on behalf of the user for
every page the user visits... and for every successful BIND the IPA
Lockout plugin does the MODs indicated above.

It is to note that currently we are not locking accounts on failed
authentication to the directory, so the above MODs seem completely
unnecessary.

For the time being we disabled the ipa lockout plugin, but we would like
to know if the behavior highlighted above is expected or if we should
file a bug.

Thanks
-- 
Loris Santamaria   linux user #70506   xmpp:lo...@lgs.com.ve
Links Global Services, C.A.            http://www.lgs.com.ve
Tel: 0286 952.06.87  Cel: 0414 095.00.10  sip:1...@lgs.com.ve
------------------------------------------------------------
"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to