#1078 Make HBAC srchost processing optional
Closed: Fixed None Opened 7 years ago by sgallagh.

Source host processing is very costly (it requires us to retrieve the complete list of hosts from the FreeIPA server) and it's inherently unreliable (due to the fact that there is no PAM standard for what applications will send us in the {{{srchost}}} field).

We should add a new option, {{{ipa_hbac_support_srchost}}} that will default to {{{False}}}. If this option is false, we will perform a much simpler host lookup (just the current host and its parents). This will significantly improve login performance in environments with large numbers of hosts.

When it's false, we should also modify rules we retrieve to treat srchost as {{{category = ALL}}} (thus meaning it will always match).


Fields changed

patch: 0 => 1
status: new => assigned

Fixed in: 6fb75e2

resolution: => fixed
status: assigned => closed

Fields changed

type: defect => enhancement

Metadata Update from @sgallagh:
- Issue assigned to jzeleny
- Issue set to the milestone: SSSD 1.7.0

2 years ago

Login to comment on this ticket.

Metadata