#5313 [RFE] disable last successful authentication by default in ipa.
Closed: fixed 7 years ago Opened 8 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1264370

Description of problem:

in customers with high number of logins/kinit's we are seeing lots of MOD
operations of attribute krbLastSuccessfulAuth.

Even if this attribute is skipped in fractional replication, all the changes
are sent to changelog and replication has to browse them to decide whether to
skip or not.

Combined with bug

https://bugzilla.redhat.com/show_bug.cgi?id=1259383

this could easily provoke replicas locked and very important delay in
replication. Even once that former bug will be fixed, it could be useful not to
keep that information that Alexander (thanks !) checked is not used in ipa
context.

There is already a way to disable this attribute by:

ldapmodify -x -D "cn=directory manager" -W <<EOF
dn: cn=ipaConfig,cn=etc,dc=example,dc=example
changetype: modify
add: ipaConfigString
ipaConfigString: KDC:Disable Last Success
EOF

(special thanks to Marc Sauton!)

We would like, if possible, to have this behavior set by default in IPA.

Regards,

German.

I have created DS ticket 48286. If this would be implemented we could write the modification of "local" attributes to the database, but completely keep them out of replication processing

I would close this ticket.

There is an impact and it's not harmless.

A successful login is resetting the krbLoginFailedCount

time: 20150929205523
dn: uid=admin,cn=users,cn=accounts,dc=example,dc=org
changetype: modify
replace: krbLastSuccessfulAuth
krbLastSuccessfulAuth: 20150929185523Z
-
replace: krbLoginFailedCount
krbLoginFailedCount: 0
-


So, if no operation is resetting this counter, the impact is considerable.

If we remove the successful auth ops, the failed logins must also be removed.

Comment #4 could be ignored. In fact, a successful login still reset's counter only when the counter is greater than 0.

  • This RFE (Disable: Last successful auth) needs to be implemented for the next major releases BUT will be activated only for fresh install (for upgrade, we keep the current default behavior: 'Enable: Last successful auth'). This RFE triggers a performance improvements.

  • regarding the related 389-ds enhancement (​https://fedorahosted.org/389/ticket/48286). that also targets performance improvements on DS side, it is not an urgent RFE. The fix ​https://fedorahosted.org/389/ticket/48266 is enough to prevent replication issue.

moved to 4.4 as tracker

Metadata Update from @pvoborni:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog

7 years ago

Hi,

we are still applying manually this setting in all the customers with performance issues.

the RFE has been logged like 1 year and half ago. And all the customers is RHEL6/RHEL7 with large deployments are hitting this perf. issue that provoked a HUGE number of MOD operations that are skipped by replication but logged in the changelog. This combined to the bug that the changelog has a default cache of 2Mb is quite a killer in large deployments.

The fix seems to be very easy. A new file in /usr/share/ipa/updates/ with the update that config-mod is doing will be enough to have the customers this setting by default in newer versions.

Thanks a lot.

Moving to 4.5.1 based on the comment above and IRC discussion with gparente and Thierry. The DS fix doesn't eliminate the issue.

In previous triage, changing the default to have "KDC:Disable Last Success" for new installs was one of the proposed and possible options. Let's do it.

Metadata Update from @pvoborni:
- Issue assigned to mbasti (was: someone)
- Issue close_status updated to: None
- Issue set to the milestone: FreeIPA 4.5.1 (was: FreeIPA 4.5 backlog)

7 years ago

Metadata Update from @mbasti:
- Issue priority set to: 1 (was: 3)

7 years ago

Metadata Update from @mbasti:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/641 (was: 0)

7 years ago

ipa-4-5:

  • fdcd5f4 Set "KDC:Disable Last Success" by default
    master:

  • eeaf428 Set "KDC:Disable Last Success" by default

ipa-4-5:

  • fdcd5f4 Set "KDC:Disable Last Success" by default
    master:

  • eeaf428 Set "KDC:Disable Last Success" by default

Metadata Update from @pvomacka:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

7 years ago

Login to comment on this ticket.

Metadata