[Freeipa-devel] [freeipa PR#823][comment] ipa-kdb: reload certificate mapping rules periodically

2017-06-02 Thread MartinBasti via FreeIPA-devel
  URL: https://github.com/freeipa/freeipa/pull/823
Title: #823: ipa-kdb: reload certificate mapping rules periodically

MartinBasti commented:
"""
master:

* e8aed2524846f1cff3d09d676675f3b426178f60 ipa-kdb: reload certificate mapping 
rules periodically


ipa-4-5:

* d59694a93c3a734915d4ac05bb4e02a40f9cb08a ipa-kdb: reload certificate mapping 
rules periodically


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/823#issuecomment-305807940
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org


[Freeipa-devel] [freeipa PR#823][comment] ipa-kdb: reload certificate mapping rules periodically

2017-06-02 Thread sumit-bose via FreeIPA-devel
  URL: https://github.com/freeipa/freeipa/pull/823
Title: #823: ipa-kdb: reload certificate mapping rules periodically

sumit-bose commented:
"""
> @sumit-bose I got confused by "periodically" in title and "every 5 minutes" 
> in description. It works as expected.

ah, yes, I'm sorry the wording is misleading. Please let me know if I should 
fix the commit message before the patch is pushed?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/823#issuecomment-305778177
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org


[Freeipa-devel] [freeipa PR#823][comment] ipa-kdb: reload certificate mapping rules periodically

2017-06-02 Thread dkupka via FreeIPA-devel
  URL: https://github.com/freeipa/freeipa/pull/823
Title: #823: ipa-kdb: reload certificate mapping rules periodically

dkupka commented:
"""
@sumit-bose I got confused by "periodically" in title and "every 5 minutes" in 
description. It works as expected.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/823#issuecomment-305773483
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org


[Freeipa-devel] [freeipa PR#823][comment] ipa-kdb: reload certificate mapping rules periodically

2017-06-01 Thread sumit-bose via FreeIPA-devel
  URL: https://github.com/freeipa/freeipa/pull/823
Title: #823: ipa-kdb: reload certificate mapping rules periodically

sumit-bose commented:
"""
@dkupka, the reload only happens during processing the PKINIT request if the 
rules are older than 5 minutes. It is not a timed event which runs all the time 
every 5 minutes.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/823#issuecomment-305523652
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org


[Freeipa-devel] [freeipa PR#823][comment] ipa-kdb: reload certificate mapping rules periodically

2017-06-01 Thread dkupka via FreeIPA-devel
  URL: https://github.com/freeipa/freeipa/pull/823
Title: #823: ipa-kdb: reload certificate mapping rules periodically

dkupka commented:
"""
@sumit-bose You're right but then there's ~6 hours gap where no reload 
happened. I would expect that there would be one attempt to reload every 5 
minutes. Or do I understand it wrong?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/823#issuecomment-305518700
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org


[Freeipa-devel] [freeipa PR#823][comment] ipa-kdb: reload certificate mapping rules periodically

2017-06-01 Thread sumit-bose via FreeIPA-devel
  URL: https://github.com/freeipa/freeipa/pull/823
Title: #823: ipa-kdb: reload certificate mapping rules periodically

sumit-bose commented:
"""
@dkupka, ah, this is a side effect of having multiple workers (3907-3912). The 
IPA context is not share between the workers so each will load the certificate 
mapping rule on its own.

If I checked the reload times of the different workers correctly none does it 
more often then once in 5 minutes.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/823#issuecomment-305487292
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org


[Freeipa-devel] [freeipa PR#823][comment] ipa-kdb: reload certificate mapping rules periodically

2017-06-01 Thread dkupka via FreeIPA-devel
  URL: https://github.com/freeipa/freeipa/pull/823
Title: #823: ipa-kdb: reload certificate mapping rules periodically

dkupka commented:
"""
@sumit-bose Yes, I added rule that should allow the user to kinit with 
certificate. I tried and it worked. Then I modified the rule so it no longer 
matched the user and immediate pkinit failed. I see the message with each kinit 
not it the interval:

```
$ sudo grep "Initializing IPA certauth plugin" /var/log/krb5kdc.log
Jun 01 08:44:45 vm-150.example.com krb5kdc[3908](info): Initializing IPA 
certauth plugin.
Jun 01 08:45:07 vm-150.example.com krb5kdc[3910](info): Initializing IPA 
certauth plugin.
Jun 01 08:52:54 vm-150.example.com krb5kdc[3907](info): Initializing IPA 
certauth plugin.
Jun 01 08:52:57 vm-150.example.com krb5kdc[3911](info): Initializing IPA 
certauth plugin.
Jun 01 08:53:22 vm-150.example.com krb5kdc[3908](info): Initializing IPA 
certauth plugin.
Jun 01 08:56:50 vm-150.example.com krb5kdc[3909](info): Initializing IPA 
certauth plugin.
Jun 01 09:02:14 vm-150.example.com krb5kdc[3912](info): Initializing IPA 
certauth plugin.
Jun 01 09:02:33 vm-150.example.com krb5kdc[3907](info): Initializing IPA 
certauth plugin.
Jun 01 14:55:21 vm-150.example.com krb5kdc[3908](info): Initializing IPA 
certauth plugin.
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/823#issuecomment-305485079
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org


[Freeipa-devel] [freeipa PR#823][comment] ipa-kdb: reload certificate mapping rules periodically

2017-06-01 Thread sumit-bose via FreeIPA-devel
  URL: https://github.com/freeipa/freeipa/pull/823
Title: #823: ipa-kdb: reload certificate mapping rules periodically

sumit-bose commented:
"""
@dkupka, did you modify the rules so that PKINIT should fail or how did you 
test. I tried to reproduce but according to the logs the rules are reloaded 
ever 5 minutes:

[root@ipa-devel-f25 tmp]# grep nitializ /var/log/krb5kdc.log
Jun 01 14:37:07 ipa-devel-f25.ipaf25.devel krb5kdc[20471](info): 
Initializing IPA certauth plugin.
Jun 01 14:37:07 ipa-devel-f25.ipaf25.devel krb5kdc[20471](info): 
sss_certmap initialized.
Jun 01 14:42:20 ipa-devel-f25.ipaf25.devel krb5kdc[20471](info): 
Initializing IPA certauth plugin.
Jun 01 14:42:20 ipa-devel-f25.ipaf25.devel krb5kdc[20471](info): 
sss_certmap initialized.
Jun 01 14:47:29 ipa-devel-f25.ipaf25.devel krb5kdc[20471](info): 
Initializing IPA certauth plugin.
Jun 01 14:47:29 ipa-devel-f25.ipaf25.devel krb5kdc[20471](info): 
sss_certmap initialized.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/823#issuecomment-305483776
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org


[Freeipa-devel] [freeipa PR#823][comment] ipa-kdb: reload certificate mapping rules periodically

2017-06-01 Thread dkupka via FreeIPA-devel
  URL: https://github.com/freeipa/freeipa/pull/823
Title: #823: ipa-kdb: reload certificate mapping rules periodically

dkupka commented:
"""
@sumit-bose Works suspiciously well. I would expect some delay (up to 5 
minutes) between modifying the rule and the change being effective but there's 
none.
Is there a chance it (accidentally) reloads the rules with every TGT request? 
That would probably have undesired performance impact.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/823#issuecomment-305409180
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org