summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSimo Sorce <ssorce@redhat.com>2012-05-23 12:35:44 -0400
committerRob Crittenden <rcritten@redhat.com>2012-06-06 22:12:22 -0400
commitf602ad270d06a0dd7f53c4aa6904d27daa07d4ae (patch)
tree6e029f602dd44652998064b52f97ec691b5ebc44
parentf8e7b516d923142a23058cb23ee817522686cfe3 (diff)
downloadfreeipa-f602ad270d06a0dd7f53c4aa6904d27daa07d4ae.tar.gz
freeipa-f602ad270d06a0dd7f53c4aa6904d27daa07d4ae.tar.xz
freeipa-f602ad270d06a0dd7f53c4aa6904d27daa07d4ae.zip
Add support for disabling KDC writes
Add two global ipaConfig options to disable undesirable writes that have performance impact. The "KDC:Disable Last Success" will disable writing back to ldap the last successful AS Request time (successful kinit) The "KDC:Disable Lockout" will disable completely writing back lockout related data. This means lockout policies will stop working. https://fedorahosted.org/freeipa/ticket/2734
-rw-r--r--API.txt2
-rw-r--r--daemons/ipa-kdb/ipa_kdb.c66
-rw-r--r--daemons/ipa-kdb/ipa_kdb.h2
-rw-r--r--daemons/ipa-kdb/ipa_kdb_audit_as.c7
-rw-r--r--ipalib/plugins/config.py3
5 files changed, 78 insertions, 2 deletions
diff --git a/API.txt b/API.txt
index 6c1ea45c9..8127b90b9 100644
--- a/API.txt
+++ b/API.txt
@@ -459,7 +459,7 @@ option: Bool('ipamigrationenabled', attribute=True, autofill=False, cli_name='en
option: Str('ipagroupobjectclasses', attribute=True, autofill=False, cli_name='groupobjectclasses', csv=True, multivalue=True, required=False)
option: Str('ipauserobjectclasses', attribute=True, autofill=False, cli_name='userobjectclasses', csv=True, multivalue=True, required=False)
option: Int('ipapwdexpadvnotify', attribute=True, autofill=False, cli_name='pwdexpnotify', minvalue=0, multivalue=False, required=False)
-option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowLMhash', u'AllowNThash'))
+option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowLMhash', u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout'))
option: Str('ipaselinuxusermaporder', attribute=True, autofill=False, cli_name='ipaselinuxusermaporder', multivalue=False, required=False)
option: Str('ipaselinuxusermapdefault', attribute=True, autofill=False, cli_name='ipaselinuxusermapdefault', multivalue=False, required=False)
option: Str('setattr*', cli_name='setattr', exclude='webui')
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index ed87d6fef..3527cefa1 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -159,6 +159,65 @@ done:
return base;
}
+int ipadb_get_global_configs(struct ipadb_context *ipactx)
+{
+ char *attrs[] = { "ipaConfigString", NULL };
+ struct berval **vals = NULL;
+ LDAPMessage *res = NULL;
+ LDAPMessage *first;
+ char *base = NULL;
+ int i;
+ int ret;
+
+ ret = asprintf(&base, "cn=ipaConfig,cn=etc,%s", ipactx->base);
+ if (ret == -1) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = ipadb_simple_search(ipactx, base, LDAP_SCOPE_BASE,
+ "(objectclass=*)", attrs, &res);
+ if (ret) {
+ goto done;
+ }
+
+ first = ldap_first_entry(ipactx->lcontext, res);
+ if (!first) {
+ /* no results, set nothing */
+ ret = 0;
+ goto done;
+ }
+
+ vals = ldap_get_values_len(ipactx->lcontext, first,
+ "ipaConfigString");
+ if (!vals || !vals[0]) {
+ /* no config, set nothing */
+ ret = 0;
+ goto done;
+ }
+
+ for (i = 0; vals[i]; i++) {
+ if (strncasecmp("KDC:Disable Last Success",
+ vals[i]->bv_val, vals[i]->bv_len) == 0) {
+ ipactx->disable_last_success = true;
+ continue;
+ }
+ if (strncasecmp("KDC:Disable Lockout",
+ vals[i]->bv_val, vals[i]->bv_len) == 0) {
+ ipactx->disable_lockout = true;
+ continue;
+ }
+ }
+
+ ret = 0;
+
+done:
+ ldap_value_free_len(vals);
+ ldap_msgfree(res);
+ free(base);
+ return ret;
+}
+
int ipadb_get_connection(struct ipadb_context *ipactx)
{
struct berval **vals = NULL;
@@ -259,6 +318,13 @@ int ipadb_get_connection(struct ipadb_context *ipactx)
ipactx->supp_encs = kst;
ipactx->n_supp_encs = n_kst;
+ /* get additional options */
+ ret = ipadb_get_global_configs(ipactx);
+ if (ret) {
+ goto done;
+ }
+
+ /* get adtrust options */
ret = ipadb_reinit_mspac(ipactx);
if (ret && ret != ENOENT) {
/* TODO: log that there is an issue with adtrust settings */
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 996d8448b..c1cc7a7d8 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -92,6 +92,8 @@ struct ipadb_context {
krb5_key_salt_tuple *supp_encs;
int n_supp_encs;
struct ipadb_wincompat wc;
+ bool disable_last_success;
+ bool disable_lockout;
};
#define IPA_E_DATA_MAGIC 0x0eda7a
diff --git a/daemons/ipa-kdb/ipa_kdb_audit_as.c b/daemons/ipa-kdb/ipa_kdb_audit_as.c
index 64af8b2f9..7596db0fa 100644
--- a/daemons/ipa-kdb/ipa_kdb_audit_as.c
+++ b/daemons/ipa-kdb/ipa_kdb_audit_as.c
@@ -72,6 +72,9 @@ void ipadb_audit_as_req(krb5_context kcontext,
client->fail_auth_count = 0;
client->mask |= KMASK_FAIL_AUTH_COUNT;
}
+ if (ipactx->disable_last_success) {
+ break;
+ }
client->last_success = authtime;
client->mask |= KMASK_LAST_SUCCESS;
}
@@ -80,6 +83,10 @@ void ipadb_audit_as_req(krb5_context kcontext,
case KRB5KDC_ERR_PREAUTH_FAILED:
case KRB5KRB_AP_ERR_BAD_INTEGRITY:
+ if (ipactx->disable_lockout) {
+ break;
+ }
+
if (client->last_failed <= ied->last_admin_unlock) {
/* Reset fail_auth_count, and admin unlocked the account */
client->fail_auth_count = 0;
diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index 30f26addf..c8230e23a 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -177,7 +177,8 @@ class config(LDAPObject):
cli_name='ipaconfigstring',
label=_('Password plugin features'),
doc=_('Extra hashes to generate in password plug-in'),
- values=(u'AllowLMhash', u'AllowNThash'),
+ values=(u'AllowLMhash', u'AllowNThash',
+ u'KDC:Disable Last Success', u'KDC:Disable Lockout'),
csv=True,
),
Str('ipaselinuxusermaporder',