Red Hat Bugzilla – Bug 1264370
RFE: disable last successful authentication by default in ipa.
Last modified: 2017-08-01 05:37:23 EDT
Description of problem: in customers with high number of logins/kinit's we are seeing lots of MOD operations of attribute krbLastSuccessfulAuth. Even if this attribute is skipped in fractional replication, all the changes are sent to changelog and replication has to browse them to decide whether to skip or not. Combined with bug https://bugzilla.redhat.com/show_bug.cgi?id=1259383 this could easily provoke replicas locked and very important delay in replication. Even once that former bug will be fixed, it could be useful not to keep that information that Alexander (thanks !) checked is not used in ipa context. There is already a way to disable this attribute by: ldapmodify -x -D "cn=directory manager" -W <<EOF dn: cn=ipaConfig,cn=etc,dc=example,dc=example changetype: modify add: ipaConfigString ipaConfigString: KDC:Disable Last Success EOF (special thanks to Marc Sauton!) We would like, if possible, to have this behavior set by default in IPA. Regards, German.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/5313
Hi, The question in that RFE is to know if it is useful or not to update bound entry at each bind. This systematic update reveal a performance issue on fraction replication BUT by design there was a DS potential performance issue. (independently of that specific systematic update of krbLastSuccessfulAuth) To address this issue there were several possibilities. - The one that was implemented was https://pagure.io/389-ds-base/issue/48266 (https://bugzilla.redhat.com/show_bug.cgi?id=1259949). This ticket is fixed since 389-ds-base-1.3.4.0-18.el7. - The ticket https://pagure.io/389-ds-base/issue/48286, was another possibility to workaround the DS bug. Preventing logging in replication CL some attributes. It is not yet implement and we do not know if it will. so since 389-ds-base-1.3.4.0-18.el7 there is no more DS fractional replication performance issue. It remains the question if updating bound entry is useful or not (this RFE). If it is not useful, IMHO it is easier to fix it in IPA (ipaConfigString: KDC:Disable Last Success) rather than asking for the fix https://pagure.io/389-ds-base/issue/48286 and configure DS to not log some attribute in CL.
Fixed upstream ipa-4-5: https://pagure.io/freeipa/c/fdcd5f486839d9279dcba74b74f7756ace5812fa master: https://pagure.io/freeipa/c/eeaf428b1befc37489ed5ee14ae193b46cbd1db7
Verified on ipa-server-4.5.0-13.el7: # ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful # ipa config-show Maximum username length: 32 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain: testrelm.test Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=TESTRELM.TEST Password Expiration Notification (days): 4 Password plugin features: AllowNThash, KDC:Disable Last Success SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: MS-PAC, nfs:NONE IPA masters: host-8-178-58.testrelm.test IPA CA servers: host-8-178-58.testrelm.test IPA NTP servers: host-8-178-58.testrelm.test IPA CA renewal master: host-8-178-58.testrelm.test
Please note that Red Hat officially released public RHEL-7.4 Beta this week, as announced here: https://www.redhat.com/en/about/blog/red-hat-enterprise-linux-74-beta-now-available The new RHEL-7.4 release includes a lot of new IdM functionality, including this RFE. Highlights can be found in RHEL-7.4 Release Notes, especially in the Authentication & Interoperability chapter: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/7.4_Release_Notes/new_features_authentication_and_interoperability.html IdM Engineering team would like to encourage everyone interested in this new functionality (and especially customers or community members requesting it) to try Beta and provide us with your feedback!
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304