attachment
excessive_krb.txt

A proposed solution would be a new flag to ipa so that rather than executing a given comment it outputs a json equivalent that can be used with the batch service.

So you would run a series of ipa <object>-add --options and the output would be the json equivalent of the command. This could be wrapped into a single son request.

While doing a bulk import of data through wrapping the ipa command line, it was apparent that the running of the cli and the actions transpiring were eating up a lot of different ldap resources.

Eventually the ldap server appears to stop responding, which in turn prevents additional kerberos transactions to occur and follows a cascade of failures.

What we need to do here is cache the kerberos credentials, this way when a ticket comes in and we already have it in the cache, we can use the "cached" credential cache which already contains a valid ticket for the LDAP server instead of acquiring a new ticket for the LDAP service with every HTTP request.

This improvement would make the pair with using secure cookies and doing krb auth only sporadically in order to improve connection speed too by avoiding the challenge response dance when possible.

Create a cache that will be shared between the apache sessions.
The cache will contain hash of the principal - ldap ticket pairs.

moving to 2.1 deferable because this task is really "add session support" which is a significant effort.

Moving the ticket to the next month iteration.

Moving to next month iteration.

Moving to next month iteration.

Sessions are done in the UI. What remains is support for the cli. We have ticket https://fedorahosted.org/freeipa/ticket/2331 for that work.

I propose closing this.

Closing as a duplicate. This inspired us to get sessions in the UI which is complete and we'll finish up the command-line in ticket 2331.