Add support for disabling KDC writes

Add two global ipaConfig options to disable undesirable writes that have
performance impact.
The "KDC:Disable Last Success" will disable writing back to ldap the last
successful AS Request time (successful kinit)
The "KDC:Disable Lockout" will disable completely writing back lockout
related data. This means lockout policies will stop working.

https://fedorahosted.org/freeipa/ticket/2734

1 files changed, 7 insertions, 0 deletions

diff --git a/daemons/ipa-kdb/ipa_kdb_audit_as.c b/daemons/ipa-kdb/ipa_kdb_audit_as.c
index 64af8b2f9..7596db0fa 100644
--- a/daemons/ipa-kdb/ipa_kdb_audit_as.c
+++ b/daemons/ipa-kdb/ipa_kdb_audit_as.c
@@ -72,6 +72,9 @@ void ipadb_audit_as_req(krb5_context kcontext,
                 client->fail_auth_count = 0;
                 client->mask |= KMASK_FAIL_AUTH_COUNT;
             }
+            if (ipactx->disable_last_success) {
+                break;
+            }
             client->last_success = authtime;
             client->mask |= KMASK_LAST_SUCCESS;
         }
@@ -80,6 +83,10 @@ void ipadb_audit_as_req(krb5_context kcontext,
     case KRB5KDC_ERR_PREAUTH_FAILED:
     case KRB5KRB_AP_ERR_BAD_INTEGRITY:
 
+        if (ipactx->disable_lockout) {
+            break;
+        }
+
         if (client->last_failed <= ied->last_admin_unlock) {
             /* Reset fail_auth_count, and admin unlocked the account */
             client->fail_auth_count = 0;