Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1264370
Description of problem: in customers with high number of logins/kinit's we are seeing lots of MOD operations of attribute krbLastSuccessfulAuth. Even if this attribute is skipped in fractional replication, all the changes are sent to changelog and replication has to browse them to decide whether to skip or not. Combined with bug https://bugzilla.redhat.com/show_bug.cgi?id=1259383 this could easily provoke replicas locked and very important delay in replication. Even once that former bug will be fixed, it could be useful not to keep that information that Alexander (thanks !) checked is not used in ipa context. There is already a way to disable this attribute by: ldapmodify -x -D "cn=directory manager" -W <<EOF dn: cn=ipaConfig,cn=etc,dc=example,dc=example changetype: modify add: ipaConfigString ipaConfigString: KDC:Disable Last Success EOF (special thanks to Marc Sauton!) We would like, if possible, to have this behavior set by default in IPA. Regards, German.
I have created DS ticket 48286. If this would be implemented we could write the modification of "local" attributes to the database, but completely keep them out of replication processing
I would close this ticket.
There is an impact and it's not harmless.
time: 20150929205523 dn: uid=admin,cn=users,cn=accounts,dc=example,dc=org changetype: modify replace: krbLastSuccessfulAuth krbLastSuccessfulAuth: 20150929185523Z - replace: krbLoginFailedCount krbLoginFailedCount: 0 -
So, if no operation is resetting this counter, the impact is considerable.
If we remove the successful auth ops, the failed logins must also be removed.
Comment #4 could be ignored. In fact, a successful login still reset's counter only when the counter is greater than 0.
This RFE (Disable: Last successful auth) needs to be implemented for the next major releases BUT will be activated only for fresh install (for upgrade, we keep the current default behavior: 'Enable: Last successful auth'). This RFE triggers a performance improvements.
regarding the related 389-ds enhancement (https://fedorahosted.org/389/ticket/48286). that also targets performance improvements on DS side, it is not an urgent RFE. The fix https://fedorahosted.org/389/ticket/48266 is enough to prevent replication issue.
moved to 4.4 as tracker
Metadata Update from @pvoborni: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
Hi,
we are still applying manually this setting in all the customers with performance issues.
the RFE has been logged like 1 year and half ago. And all the customers is RHEL6/RHEL7 with large deployments are hitting this perf. issue that provoked a HUGE number of MOD operations that are skipped by replication but logged in the changelog. This combined to the bug that the changelog has a default cache of 2Mb is quite a killer in large deployments.
The fix seems to be very easy. A new file in /usr/share/ipa/updates/ with the update that config-mod is doing will be enough to have the customers this setting by default in newer versions.
Thanks a lot.
Moving to 4.5.1 based on the comment above and IRC discussion with gparente and Thierry. The DS fix doesn't eliminate the issue.
In previous triage, changing the default to have "KDC:Disable Last Success" for new installs was one of the proposed and possible options. Let's do it.
Metadata Update from @pvoborni: - Issue assigned to mbasti (was: someone) - Issue close_status updated to: None - Issue set to the milestone: FreeIPA 4.5.1 (was: FreeIPA 4.5 backlog)
Metadata Update from @mbasti: - Issue priority set to: 1 (was: 3)
Metadata Update from @mbasti: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/641 (was: 0)
ipa-4-5:
fdcd5f4 Set "KDC:Disable Last Success" by default master:
eeaf428 Set "KDC:Disable Last Success" by default
Metadata Update from @pvomacka: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.