Loris Santamaria wrote:
Hi
on a production IPA realm with 3 servers and about 2000 users we were
experimenting a very high load on the servers. Further investigation
showed that the high load was caused by a lot of writes done by the IPA
dirsrv instance. Activating the audit logging showed a lot of MOD
operation to the directory, like these:
time: 20130204140217
dn: uid=XXXX,cn=users,cn=accounts,dc=XXX,dc=XXX,dc=XX
changetype: modify
replace: modifiersName
modifiersName: cn=IPA Lockout,cn=plugins,cn=config
-
replace: modifyTimestamp
modifyTimestamp: 20130204183216Z
-
replace: entryusn
entryusn: 3472506
-
time: 20130204140217
dn: uid=XXXX,cn=users,cn=accounts,dc=XXX,dc=XXX,dc=XX
changetype: modify
replace: modifiersName
modifiersName: cn=IPA Lockout,cn=plugins,cn=config
-
replace: modifyTimestamp
modifyTimestamp: 20130204183217Z
-
replace: entryusn
entryusn: 3472507
There is an HTTP proxy server which connects to IPA to perform user
authorization and it seems that it does a BIND on behalf of the user for
every page the user visits... and for every successful BIND the IPA
Lockout plugin does the MODs indicated above.
It is to note that currently we are not locking accounts on failed
authentication to the directory, so the above MODs seem completely
unnecessary.
For the time being we disabled the ipa lockout plugin, but we would like
to know if the behavior highlighted above is expected or if we should
file a bug.
Fixed in 389-ds-base 1.2.11. See bug
https://bugzilla.redhat.com/show_bug.cgi?id=782975
The commit is:
https://lists.fedoraproject.org/pipermail/389-commits/2012-May/005209.html
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
