IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Add support for disabling KDC writes

Browse Source 
Add two global ipaConfig options to disable undesirable writes that have
performance impact.
The "KDC:Disable Last Success" will disable writing back to ldap the last
successful AS Request time (successful kinit)
The "KDC:Disable Lockout" will disable completely writing back lockout
related data. This means lockout policies will stop working.

https://fedorahosted.org/freeipa/ticket/2734
This commit is contained in:
Simo Sorce
2012-05-23 12:35:44 -04:00
committed by Rob Crittenden
parent f8e7b516d9
commit f602ad270d
5 changed files with 78 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
daemons/ipa-kdb/ipa_kdb_audit_as.c
View File

@@ -72,6 +72,9 @@ void ipadb_audit_as_req(krb5_context kcontext,
client->fail_auth_count = 0;
client->mask |= KMASK_FAIL_AUTH_COUNT;
}
if (ipactx->disable_last_success) {
break;
}
client->last_success = authtime;
client->mask |= KMASK_LAST_SUCCESS;
}
@@ -80,6 +83,10 @@ void ipadb_audit_as_req(krb5_context kcontext,
case KRB5KDC_ERR_PREAUTH_FAILED:
case KRB5KRB_AP_ERR_BAD_INTEGRITY:
if (ipactx->disable_lockout) {
break;
}
if (client->last_failed <= ied->last_admin_unlock) {
/* Reset fail_auth_count, and admin unlocked the account */
client->fail_auth_count = 0;