[Freeipa-devel] [freeipa PR#823][comment] ipa-kdb: reload certificate mapping rules periodically
URL: https://github.com/freeipa/freeipa/pull/823 Title: #823: ipa-kdb: reload certificate mapping rules periodically MartinBasti commented: """ master: * e8aed2524846f1cff3d09d676675f3b426178f60 ipa-kdb: reload certificate mapping rules periodically ipa-4-5: * d59694a93c3a734915d4ac05bb4e02a40f9cb08a ipa-kdb: reload certificate mapping rules periodically """ See the full comment at https://github.com/freeipa/freeipa/pull/823#issuecomment-305807940 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#823][comment] ipa-kdb: reload certificate mapping rules periodically
URL: https://github.com/freeipa/freeipa/pull/823 Title: #823: ipa-kdb: reload certificate mapping rules periodically sumit-bose commented: """ > @sumit-bose I got confused by "periodically" in title and "every 5 minutes" > in description. It works as expected. ah, yes, I'm sorry the wording is misleading. Please let me know if I should fix the commit message before the patch is pushed? """ See the full comment at https://github.com/freeipa/freeipa/pull/823#issuecomment-305778177 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#823][comment] ipa-kdb: reload certificate mapping rules periodically
URL: https://github.com/freeipa/freeipa/pull/823 Title: #823: ipa-kdb: reload certificate mapping rules periodically dkupka commented: """ @sumit-bose I got confused by "periodically" in title and "every 5 minutes" in description. It works as expected. """ See the full comment at https://github.com/freeipa/freeipa/pull/823#issuecomment-305773483 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#823][comment] ipa-kdb: reload certificate mapping rules periodically
URL: https://github.com/freeipa/freeipa/pull/823 Title: #823: ipa-kdb: reload certificate mapping rules periodically sumit-bose commented: """ @dkupka, the reload only happens during processing the PKINIT request if the rules are older than 5 minutes. It is not a timed event which runs all the time every 5 minutes. """ See the full comment at https://github.com/freeipa/freeipa/pull/823#issuecomment-305523652 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#823][comment] ipa-kdb: reload certificate mapping rules periodically
URL: https://github.com/freeipa/freeipa/pull/823 Title: #823: ipa-kdb: reload certificate mapping rules periodically dkupka commented: """ @sumit-bose You're right but then there's ~6 hours gap where no reload happened. I would expect that there would be one attempt to reload every 5 minutes. Or do I understand it wrong? """ See the full comment at https://github.com/freeipa/freeipa/pull/823#issuecomment-305518700 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#823][comment] ipa-kdb: reload certificate mapping rules periodically
URL: https://github.com/freeipa/freeipa/pull/823 Title: #823: ipa-kdb: reload certificate mapping rules periodically sumit-bose commented: """ @dkupka, ah, this is a side effect of having multiple workers (3907-3912). The IPA context is not share between the workers so each will load the certificate mapping rule on its own. If I checked the reload times of the different workers correctly none does it more often then once in 5 minutes. """ See the full comment at https://github.com/freeipa/freeipa/pull/823#issuecomment-305487292 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#823][comment] ipa-kdb: reload certificate mapping rules periodically
URL: https://github.com/freeipa/freeipa/pull/823 Title: #823: ipa-kdb: reload certificate mapping rules periodically dkupka commented: """ @sumit-bose Yes, I added rule that should allow the user to kinit with certificate. I tried and it worked. Then I modified the rule so it no longer matched the user and immediate pkinit failed. I see the message with each kinit not it the interval: ``` $ sudo grep "Initializing IPA certauth plugin" /var/log/krb5kdc.log Jun 01 08:44:45 vm-150.example.com krb5kdc[3908](info): Initializing IPA certauth plugin. Jun 01 08:45:07 vm-150.example.com krb5kdc[3910](info): Initializing IPA certauth plugin. Jun 01 08:52:54 vm-150.example.com krb5kdc[3907](info): Initializing IPA certauth plugin. Jun 01 08:52:57 vm-150.example.com krb5kdc[3911](info): Initializing IPA certauth plugin. Jun 01 08:53:22 vm-150.example.com krb5kdc[3908](info): Initializing IPA certauth plugin. Jun 01 08:56:50 vm-150.example.com krb5kdc[3909](info): Initializing IPA certauth plugin. Jun 01 09:02:14 vm-150.example.com krb5kdc[3912](info): Initializing IPA certauth plugin. Jun 01 09:02:33 vm-150.example.com krb5kdc[3907](info): Initializing IPA certauth plugin. Jun 01 14:55:21 vm-150.example.com krb5kdc[3908](info): Initializing IPA certauth plugin. ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/823#issuecomment-305485079 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#823][comment] ipa-kdb: reload certificate mapping rules periodically
URL: https://github.com/freeipa/freeipa/pull/823 Title: #823: ipa-kdb: reload certificate mapping rules periodically sumit-bose commented: """ @dkupka, did you modify the rules so that PKINIT should fail or how did you test. I tried to reproduce but according to the logs the rules are reloaded ever 5 minutes: [root@ipa-devel-f25 tmp]# grep nitializ /var/log/krb5kdc.log Jun 01 14:37:07 ipa-devel-f25.ipaf25.devel krb5kdc[20471](info): Initializing IPA certauth plugin. Jun 01 14:37:07 ipa-devel-f25.ipaf25.devel krb5kdc[20471](info): sss_certmap initialized. Jun 01 14:42:20 ipa-devel-f25.ipaf25.devel krb5kdc[20471](info): Initializing IPA certauth plugin. Jun 01 14:42:20 ipa-devel-f25.ipaf25.devel krb5kdc[20471](info): sss_certmap initialized. Jun 01 14:47:29 ipa-devel-f25.ipaf25.devel krb5kdc[20471](info): Initializing IPA certauth plugin. Jun 01 14:47:29 ipa-devel-f25.ipaf25.devel krb5kdc[20471](info): sss_certmap initialized. """ See the full comment at https://github.com/freeipa/freeipa/pull/823#issuecomment-305483776 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#823][comment] ipa-kdb: reload certificate mapping rules periodically
URL: https://github.com/freeipa/freeipa/pull/823 Title: #823: ipa-kdb: reload certificate mapping rules periodically dkupka commented: """ @sumit-bose Works suspiciously well. I would expect some delay (up to 5 minutes) between modifying the rule and the change being effective but there's none. Is there a chance it (accidentally) reloads the rules with every TGT request? That would probably have undesired performance impact. """ See the full comment at https://github.com/freeipa/freeipa/pull/823#issuecomment-305409180 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org