diff options
author | Simo Sorce <ssorce@redhat.com> | 2012-05-23 12:35:44 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2012-06-06 22:12:22 -0400 |
commit | f602ad270d06a0dd7f53c4aa6904d27daa07d4ae (patch) | |
tree | 6e029f602dd44652998064b52f97ec691b5ebc44 /daemons/ipa-kdb | |
parent | f8e7b516d923142a23058cb23ee817522686cfe3 (diff) | |
download | freeipa-f602ad270d06a0dd7f53c4aa6904d27daa07d4ae.tar.gz freeipa-f602ad270d06a0dd7f53c4aa6904d27daa07d4ae.tar.xz freeipa-f602ad270d06a0dd7f53c4aa6904d27daa07d4ae.zip |
Add support for disabling KDC writes
Add two global ipaConfig options to disable undesirable writes that have
performance impact.
The "KDC:Disable Last Success" will disable writing back to ldap the last
successful AS Request time (successful kinit)
The "KDC:Disable Lockout" will disable completely writing back lockout
related data. This means lockout policies will stop working.
https://fedorahosted.org/freeipa/ticket/2734
Diffstat (limited to 'daemons/ipa-kdb')
-rw-r--r-- | daemons/ipa-kdb/ipa_kdb.c | 66 | ||||
-rw-r--r-- | daemons/ipa-kdb/ipa_kdb.h | 2 | ||||
-rw-r--r-- | daemons/ipa-kdb/ipa_kdb_audit_as.c | 7 |
3 files changed, 75 insertions, 0 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c index ed87d6fef..3527cefa1 100644 --- a/daemons/ipa-kdb/ipa_kdb.c +++ b/daemons/ipa-kdb/ipa_kdb.c @@ -159,6 +159,65 @@ done: return base; } +int ipadb_get_global_configs(struct ipadb_context *ipactx) +{ + char *attrs[] = { "ipaConfigString", NULL }; + struct berval **vals = NULL; + LDAPMessage *res = NULL; + LDAPMessage *first; + char *base = NULL; + int i; + int ret; + + ret = asprintf(&base, "cn=ipaConfig,cn=etc,%s", ipactx->base); + if (ret == -1) { + ret = ENOMEM; + goto done; + } + + ret = ipadb_simple_search(ipactx, base, LDAP_SCOPE_BASE, + "(objectclass=*)", attrs, &res); + if (ret) { + goto done; + } + + first = ldap_first_entry(ipactx->lcontext, res); + if (!first) { + /* no results, set nothing */ + ret = 0; + goto done; + } + + vals = ldap_get_values_len(ipactx->lcontext, first, + "ipaConfigString"); + if (!vals || !vals[0]) { + /* no config, set nothing */ + ret = 0; + goto done; + } + + for (i = 0; vals[i]; i++) { + if (strncasecmp("KDC:Disable Last Success", + vals[i]->bv_val, vals[i]->bv_len) == 0) { + ipactx->disable_last_success = true; + continue; + } + if (strncasecmp("KDC:Disable Lockout", + vals[i]->bv_val, vals[i]->bv_len) == 0) { + ipactx->disable_lockout = true; + continue; + } + } + + ret = 0; + +done: + ldap_value_free_len(vals); + ldap_msgfree(res); + free(base); + return ret; +} + int ipadb_get_connection(struct ipadb_context *ipactx) { struct berval **vals = NULL; @@ -259,6 +318,13 @@ int ipadb_get_connection(struct ipadb_context *ipactx) ipactx->supp_encs = kst; ipactx->n_supp_encs = n_kst; + /* get additional options */ + ret = ipadb_get_global_configs(ipactx); + if (ret) { + goto done; + } + + /* get adtrust options */ ret = ipadb_reinit_mspac(ipactx); if (ret && ret != ENOENT) { /* TODO: log that there is an issue with adtrust settings */ diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h index 996d8448b..c1cc7a7d8 100644 --- a/daemons/ipa-kdb/ipa_kdb.h +++ b/daemons/ipa-kdb/ipa_kdb.h @@ -92,6 +92,8 @@ struct ipadb_context { krb5_key_salt_tuple *supp_encs; int n_supp_encs; struct ipadb_wincompat wc; + bool disable_last_success; + bool disable_lockout; }; #define IPA_E_DATA_MAGIC 0x0eda7a diff --git a/daemons/ipa-kdb/ipa_kdb_audit_as.c b/daemons/ipa-kdb/ipa_kdb_audit_as.c index 64af8b2f9..7596db0fa 100644 --- a/daemons/ipa-kdb/ipa_kdb_audit_as.c +++ b/daemons/ipa-kdb/ipa_kdb_audit_as.c @@ -72,6 +72,9 @@ void ipadb_audit_as_req(krb5_context kcontext, client->fail_auth_count = 0; client->mask |= KMASK_FAIL_AUTH_COUNT; } + if (ipactx->disable_last_success) { + break; + } client->last_success = authtime; client->mask |= KMASK_LAST_SUCCESS; } @@ -80,6 +83,10 @@ void ipadb_audit_as_req(krb5_context kcontext, case KRB5KDC_ERR_PREAUTH_FAILED: case KRB5KRB_AP_ERR_BAD_INTEGRITY: + if (ipactx->disable_lockout) { + break; + } + if (client->last_failed <= ied->last_admin_unlock) { /* Reset fail_auth_count, and admin unlocked the account */ client->fail_auth_count = 0; |