From f602ad270d06a0dd7f53c4aa6904d27daa07d4ae Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Wed, 23 May 2012 12:35:44 -0400 Subject: Add support for disabling KDC writes Add two global ipaConfig options to disable undesirable writes that have performance impact. The "KDC:Disable Last Success" will disable writing back to ldap the last successful AS Request time (successful kinit) The "KDC:Disable Lockout" will disable completely writing back lockout related data. This means lockout policies will stop working. https://fedorahosted.org/freeipa/ticket/2734 --- API.txt | 2 +- daemons/ipa-kdb/ipa_kdb.c | 66 ++++++++++++++++++++++++++++++++++++++ daemons/ipa-kdb/ipa_kdb.h | 2 ++ daemons/ipa-kdb/ipa_kdb_audit_as.c | 7 ++++ ipalib/plugins/config.py | 3 +- 5 files changed, 78 insertions(+), 2 deletions(-) diff --git a/API.txt b/API.txt index 6c1ea45c9..8127b90b9 100644 --- a/API.txt +++ b/API.txt @@ -459,7 +459,7 @@ option: Bool('ipamigrationenabled', attribute=True, autofill=False, cli_name='en option: Str('ipagroupobjectclasses', attribute=True, autofill=False, cli_name='groupobjectclasses', csv=True, multivalue=True, required=False) option: Str('ipauserobjectclasses', attribute=True, autofill=False, cli_name='userobjectclasses', csv=True, multivalue=True, required=False) option: Int('ipapwdexpadvnotify', attribute=True, autofill=False, cli_name='pwdexpnotify', minvalue=0, multivalue=False, required=False) -option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowLMhash', u'AllowNThash')) +option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowLMhash', u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout')) option: Str('ipaselinuxusermaporder', attribute=True, autofill=False, cli_name='ipaselinuxusermaporder', multivalue=False, required=False) option: Str('ipaselinuxusermapdefault', attribute=True, autofill=False, cli_name='ipaselinuxusermapdefault', multivalue=False, required=False) option: Str('setattr*', cli_name='setattr', exclude='webui') diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c index ed87d6fef..3527cefa1 100644 --- a/daemons/ipa-kdb/ipa_kdb.c +++ b/daemons/ipa-kdb/ipa_kdb.c @@ -159,6 +159,65 @@ done: return base; } +int ipadb_get_global_configs(struct ipadb_context *ipactx) +{ + char *attrs[] = { "ipaConfigString", NULL }; + struct berval **vals = NULL; + LDAPMessage *res = NULL; + LDAPMessage *first; + char *base = NULL; + int i; + int ret; + + ret = asprintf(&base, "cn=ipaConfig,cn=etc,%s", ipactx->base); + if (ret == -1) { + ret = ENOMEM; + goto done; + } + + ret = ipadb_simple_search(ipactx, base, LDAP_SCOPE_BASE, + "(objectclass=*)", attrs, &res); + if (ret) { + goto done; + } + + first = ldap_first_entry(ipactx->lcontext, res); + if (!first) { + /* no results, set nothing */ + ret = 0; + goto done; + } + + vals = ldap_get_values_len(ipactx->lcontext, first, + "ipaConfigString"); + if (!vals || !vals[0]) { + /* no config, set nothing */ + ret = 0; + goto done; + } + + for (i = 0; vals[i]; i++) { + if (strncasecmp("KDC:Disable Last Success", + vals[i]->bv_val, vals[i]->bv_len) == 0) { + ipactx->disable_last_success = true; + continue; + } + if (strncasecmp("KDC:Disable Lockout", + vals[i]->bv_val, vals[i]->bv_len) == 0) { + ipactx->disable_lockout = true; + continue; + } + } + + ret = 0; + +done: + ldap_value_free_len(vals); + ldap_msgfree(res); + free(base); + return ret; +} + int ipadb_get_connection(struct ipadb_context *ipactx) { struct berval **vals = NULL; @@ -259,6 +318,13 @@ int ipadb_get_connection(struct ipadb_context *ipactx) ipactx->supp_encs = kst; ipactx->n_supp_encs = n_kst; + /* get additional options */ + ret = ipadb_get_global_configs(ipactx); + if (ret) { + goto done; + } + + /* get adtrust options */ ret = ipadb_reinit_mspac(ipactx); if (ret && ret != ENOENT) { /* TODO: log that there is an issue with adtrust settings */ diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h index 996d8448b..c1cc7a7d8 100644 --- a/daemons/ipa-kdb/ipa_kdb.h +++ b/daemons/ipa-kdb/ipa_kdb.h @@ -92,6 +92,8 @@ struct ipadb_context { krb5_key_salt_tuple *supp_encs; int n_supp_encs; struct ipadb_wincompat wc; + bool disable_last_success; + bool disable_lockout; }; #define IPA_E_DATA_MAGIC 0x0eda7a diff --git a/daemons/ipa-kdb/ipa_kdb_audit_as.c b/daemons/ipa-kdb/ipa_kdb_audit_as.c index 64af8b2f9..7596db0fa 100644 --- a/daemons/ipa-kdb/ipa_kdb_audit_as.c +++ b/daemons/ipa-kdb/ipa_kdb_audit_as.c @@ -72,6 +72,9 @@ void ipadb_audit_as_req(krb5_context kcontext, client->fail_auth_count = 0; client->mask |= KMASK_FAIL_AUTH_COUNT; } + if (ipactx->disable_last_success) { + break; + } client->last_success = authtime; client->mask |= KMASK_LAST_SUCCESS; } @@ -80,6 +83,10 @@ void ipadb_audit_as_req(krb5_context kcontext, case KRB5KDC_ERR_PREAUTH_FAILED: case KRB5KRB_AP_ERR_BAD_INTEGRITY: + if (ipactx->disable_lockout) { + break; + } + if (client->last_failed <= ied->last_admin_unlock) { /* Reset fail_auth_count, and admin unlocked the account */ client->fail_auth_count = 0; diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py index 30f26addf..c8230e23a 100644 --- a/ipalib/plugins/config.py +++ b/ipalib/plugins/config.py @@ -177,7 +177,8 @@ class config(LDAPObject): cli_name='ipaconfigstring', label=_('Password plugin features'), doc=_('Extra hashes to generate in password plug-in'), - values=(u'AllowLMhash', u'AllowNThash'), + values=(u'AllowLMhash', u'AllowNThash', + u'KDC:Disable Last Success', u'KDC:Disable Lockout'), csv=True, ), Str('ipaselinuxusermaporder', -- cgit