Per Simo add 'disable_last_success' and 'disable_lockout' to the ipadb.so dblibrary
Kerberos data changing is causing replication storming behavior. These knobs are set to contain these level of changes to the replica server itself without sharing it.
The new kdb DAL driver always sets krb5LastSuccessfulAuth for every successful AS request (every kinit) and always save lockout related attributes for every failed attempt.
Due to Ticket #2534 this means each pre-authenticated AS request whether successful or not causes a replication to all servers.
We should provide options to avoid writing to ldap in these cases if the admin prefers to avoid the performance (and until 2534 is fixed) the replication cost.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=824488
ipa-2-2: 97e3626
master: f602ad2
UI component for master only.
master: 1fcbad4
The ipa_lockout plugin can also update krb5LastSuccessfulAuth so if KDC:Disable Last Success is set but KDC:Disable Lockout is not then the value will still be updated.
attachment freeipa-rcrit-1073-lockout.patch
master: 146da1b
ipa-3-0: a149f01
Metadata Update from @jraquino: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 3.0.2
Login to comment on this ticket.