diff options
| author | Greg Hudson <ghudson@mit.edu> | 2010-10-07 17:49:44 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2010-10-07 17:49:44 +0000 |
| commit | 5a28daefe46c1592936115a7b6c9c9b97957b148 (patch) | |
| tree | ba6d9178e31a76ee7cd546e71267f6891cfdd4bc /src/plugins/kdb/ldap | |
| parent | 0d5df56ea6d4a05c31b7e513ee9ec1542a4b5dce (diff) | |
| download | krb5-5a28daefe46c1592936115a7b6c9c9b97957b148.tar.gz krb5-5a28daefe46c1592936115a7b6c9c9b97957b148.tar.xz krb5-5a28daefe46c1592936115a7b6c9c9b97957b148.zip | |
Performance issue in LDAP policy fetch
Instead of performing a tree search to fill in the refcnt field of a
policy object whenever a policy is fetched, set the refcnt to 0 and
perform a check when policies are deleted.
ticket: 6799
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24440 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/plugins/kdb/ldap')
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c index d58fbe9657..0d76453839 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c @@ -214,11 +214,12 @@ populate_policy(krb5_context context, krb5_ldap_get_value(ld, ent, "krbpwdfailurecountinterval", &(pol_entry->pw_failcnt_interval)); krb5_ldap_get_value(ld, ent, "krbpwdlockoutduration", &(pol_entry->pw_lockout_duration)); - /* Get the reference count */ - pol_dn = ldap_get_dn(ld, ent); - st = krb5_ldap_get_reference_count (context, pol_dn, "krbPwdPolicyReference", - &(pol_entry->policy_refcnt), ld); - ldap_memfree(pol_dn); + /* + * We don't store the policy refcnt, because principals might be maintained + * outside of kadmin. Instead, we will check for principal references when + * policies are deleted. + */ + pol_entry->policy_refcnt = 0; cleanup: return st; @@ -329,7 +330,7 @@ cleanup: krb5_error_code krb5_ldap_delete_password_policy(krb5_context context, char *policy) { - int mask = 0; + int mask = 0, refcount; char *policy_dn = NULL, *class[] = {"krbpwdpolicy", NULL}; krb5_error_code st=0; LDAP *ld=NULL; @@ -351,6 +352,13 @@ krb5_ldap_delete_password_policy(krb5_context context, char *policy) if (st != 0) goto cleanup; + st = krb5_ldap_get_reference_count(context, policy_dn, + "krbPwdPolicyReference", &refcount, ld); + if (st == 0 && refcount != 0) + st = KRB5_KDB_POLICY_REF; + if (st != 0) + goto cleanup; + /* Ensure that the object is a password policy */ if ((st=checkattributevalue(ld, policy_dn, "objectclass", class, &mask)) != 0) goto cleanup; |