diff options
author | Simo Sorce <ssorce@redhat.com> | 2012-05-23 12:35:44 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2012-06-06 22:12:22 -0400 |
commit | f602ad270d06a0dd7f53c4aa6904d27daa07d4ae (patch) | |
tree | 6e029f602dd44652998064b52f97ec691b5ebc44 /daemons/ipa-kdb/ipa_kdb_audit_as.c | |
parent | f8e7b516d923142a23058cb23ee817522686cfe3 (diff) | |
download | freeipa-f602ad270d06a0dd7f53c4aa6904d27daa07d4ae.tar.gz freeipa-f602ad270d06a0dd7f53c4aa6904d27daa07d4ae.tar.xz freeipa-f602ad270d06a0dd7f53c4aa6904d27daa07d4ae.zip |
Add support for disabling KDC writes
Add two global ipaConfig options to disable undesirable writes that have
performance impact.
The "KDC:Disable Last Success" will disable writing back to ldap the last
successful AS Request time (successful kinit)
The "KDC:Disable Lockout" will disable completely writing back lockout
related data. This means lockout policies will stop working.
https://fedorahosted.org/freeipa/ticket/2734
Diffstat (limited to 'daemons/ipa-kdb/ipa_kdb_audit_as.c')
-rw-r--r-- | daemons/ipa-kdb/ipa_kdb_audit_as.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_audit_as.c b/daemons/ipa-kdb/ipa_kdb_audit_as.c index 64af8b2f9..7596db0fa 100644 --- a/daemons/ipa-kdb/ipa_kdb_audit_as.c +++ b/daemons/ipa-kdb/ipa_kdb_audit_as.c @@ -72,6 +72,9 @@ void ipadb_audit_as_req(krb5_context kcontext, client->fail_auth_count = 0; client->mask |= KMASK_FAIL_AUTH_COUNT; } + if (ipactx->disable_last_success) { + break; + } client->last_success = authtime; client->mask |= KMASK_LAST_SUCCESS; } @@ -80,6 +83,10 @@ void ipadb_audit_as_req(krb5_context kcontext, case KRB5KDC_ERR_PREAUTH_FAILED: case KRB5KRB_AP_ERR_BAD_INTEGRITY: + if (ipactx->disable_lockout) { + break; + } + if (client->last_failed <= ied->last_admin_unlock) { /* Reset fail_auth_count, and admin unlocked the account */ client->fail_auth_count = 0; |