Add support for disabling KDC writes

Add two global ipaConfig options to disable undesirable writes that have
performance impact.
The "KDC:Disable Last Success" will disable writing back to ldap the last
successful AS Request time (successful kinit)
The "KDC:Disable Lockout" will disable completely writing back lockout
related data. This means lockout policies will stop working.

https://fedorahosted.org/freeipa/ticket/2734

API.txt

@@ -459,7 +459,7 @@ option: Bool('ipamigrationenabled', attribute=True, autofill=False, cli_name='en
 option: Str('ipagroupobjectclasses', attribute=True, autofill=False, cli_name='groupobjectclasses', csv=True, multivalue=True, required=False)
 option: Str('ipauserobjectclasses', attribute=True, autofill=False, cli_name='userobjectclasses', csv=True, multivalue=True, required=False)
 option: Int('ipapwdexpadvnotify', attribute=True, autofill=False, cli_name='pwdexpnotify', minvalue=0, multivalue=False, required=False)
-option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowLMhash', u'AllowNThash'))
+option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowLMhash', u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout'))
 option: Str('ipaselinuxusermaporder', attribute=True, autofill=False, cli_name='ipaselinuxusermaporder', multivalue=False, required=False)
 option: Str('ipaselinuxusermapdefault', attribute=True, autofill=False, cli_name='ipaselinuxusermapdefault', multivalue=False, required=False)
 option: Str('setattr*', cli_name='setattr', exclude='webui')

daemons/ipa-kdb/ipa_kdb.c

@@ -159,6 +159,65 @@ done:
     return base;
 }
 
+int ipadb_get_global_configs(struct ipadb_context *ipactx)
+{
+    char *attrs[] = { "ipaConfigString", NULL };
+    struct berval **vals = NULL;
+    LDAPMessage *res = NULL;
+    LDAPMessage *first;
+    char *base = NULL;
+    int i;
+    int ret;
+
+    ret = asprintf(&base, "cn=ipaConfig,cn=etc,%s", ipactx->base);
+    if (ret == -1) {
+        ret = ENOMEM;
+        goto done;
+    }
+
+    ret = ipadb_simple_search(ipactx, base, LDAP_SCOPE_BASE,
+                              "(objectclass=*)", attrs, &res);
+    if (ret) {
+        goto done;
+    }
+
+    first = ldap_first_entry(ipactx->lcontext, res);
+    if (!first) {
+        /* no results, set nothing */
+        ret = 0;
+        goto done;
+    }
+
+    vals = ldap_get_values_len(ipactx->lcontext, first,
+                               "ipaConfigString");
+    if (!vals || !vals[0]) {
+        /* no config, set nothing */
+        ret = 0;
+        goto done;
+    }
+
+    for (i = 0; vals[i]; i++) {
+        if (strncasecmp("KDC:Disable Last Success",
+                        vals[i]->bv_val, vals[i]->bv_len) == 0) {
+            ipactx->disable_last_success = true;
+            continue;
+        }
+        if (strncasecmp("KDC:Disable Lockout",
+                        vals[i]->bv_val, vals[i]->bv_len) == 0) {
+            ipactx->disable_lockout = true;
+            continue;
+        }
+    }
+
+    ret = 0;
+
+done:
+    ldap_value_free_len(vals);
+    ldap_msgfree(res);
+    free(base);
+    return ret;
+}
+
 int ipadb_get_connection(struct ipadb_context *ipactx)
 {
     struct berval **vals = NULL;
@@ -259,6 +318,13 @@ int ipadb_get_connection(struct ipadb_context *ipactx)
     ipactx->supp_encs = kst;
     ipactx->n_supp_encs = n_kst;
 
+    /* get additional options */
+    ret = ipadb_get_global_configs(ipactx);
+    if (ret) {
+        goto done;
+    }
+
+    /* get adtrust options */
     ret = ipadb_reinit_mspac(ipactx);
     if (ret && ret != ENOENT) {
         /* TODO: log that there is an issue with adtrust settings */

daemons/ipa-kdb/ipa_kdb.h

@@ -92,6 +92,8 @@ struct ipadb_context {
     krb5_key_salt_tuple *supp_encs;
     int n_supp_encs;
     struct ipadb_wincompat wc;
+    bool disable_last_success;
+    bool disable_lockout;
 };
 
 #define IPA_E_DATA_MAGIC 0x0eda7a

daemons/ipa-kdb/ipa_kdb_audit_as.c

@@ -72,6 +72,9 @@ void ipadb_audit_as_req(krb5_context kcontext,
                 client->fail_auth_count = 0;
                 client->mask |= KMASK_FAIL_AUTH_COUNT;
             }
+            if (ipactx->disable_last_success) {
+                break;
+            }
             client->last_success = authtime;
             client->mask |= KMASK_LAST_SUCCESS;
         }
@@ -80,6 +83,10 @@ void ipadb_audit_as_req(krb5_context kcontext,
     case KRB5KDC_ERR_PREAUTH_FAILED:
     case KRB5KRB_AP_ERR_BAD_INTEGRITY:
 
+        if (ipactx->disable_lockout) {
+            break;
+        }
+
         if (client->last_failed <= ied->last_admin_unlock) {
             /* Reset fail_auth_count, and admin unlocked the account */
             client->fail_auth_count = 0;

ipalib/plugins/config.py

@@ -177,7 +177,8 @@ class config(LDAPObject):
             cli_name='ipaconfigstring',
             label=_('Password plugin features'),
             doc=_('Extra hashes to generate in password plug-in'),
-            values=(u'AllowLMhash', u'AllowNThash'),
+            values=(u'AllowLMhash', u'AllowNThash',
+                    u'KDC:Disable Last Success', u'KDC:Disable Lockout'),
             csv=True,
         ),
         Str('ipaselinuxusermaporder',