svn rev #24440: trunk/src/ lib/kadm5/srv/ lib/krb5/error_tables/ plugins/kdb/ldap/libkdb_ldap/

ghudson@MIT.EDU ghudson at MIT.EDU
Thu Oct 7 13:49:44 EDT 2010 

http://src.mit.edu/fisheye/changelog/krb5/?cs=24440
Commit By: ghudson
Log Message:
ticket: 6799
subject: Performance issue in LDAP policy fetch

Instead of performing a tree search to fill in the refcnt field of a
policy object whenever a policy is fetched, set the refcnt to 0 and
perform a check when policies are deleted.



Changed Files:
U   trunk/src/lib/kadm5/srv/svr_policy.c
U   trunk/src/lib/krb5/error_tables/kdb5_err.et
U   trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
Modified: trunk/src/lib/kadm5/srv/svr_policy.c
===================================================================
--- trunk/src/lib/kadm5/srv/svr_policy.c	2010-10-07 17:22:55 UTC (rev 24439)
+++ trunk/src/lib/kadm5/srv/svr_policy.c	2010-10-07 17:49:44 UTC (rev 24440)
@@ -193,10 +193,10 @@
         return KADM5_POLICY_REF;
     }
     krb5_db_free_policy(handle->context, entry);
-    if ((ret = krb5_db_delete_policy(handle->context, name)))
-        return ret;
-    else
-        return KADM5_OK;
+    ret = krb5_db_delete_policy(handle->context, name);
+    if (ret == KRB5_KDB_POLICY_REF)
+        ret = KADM5_POLICY_REF;
+    return (ret == 0) ? KADM5_OK : ret;
 }
 
 kadm5_ret_t

Modified: trunk/src/lib/krb5/error_tables/kdb5_err.et
===================================================================
--- trunk/src/lib/krb5/error_tables/kdb5_err.et	2010-10-07 17:22:55 UTC (rev 24439)
+++ trunk/src/lib/krb5/error_tables/kdb5_err.et	2010-10-07 17:49:44 UTC (rev 24440)
@@ -83,5 +83,6 @@
 ec KRB5_LOG_CORRUPT,		"Update log is corrupt"
 ec KRB5_LOG_ERROR,		"Generic update log error"
 ec KRB5_KDB_DBTYPE_MISMATCH,    "Database module does not match KDC version"
+ec KRB5_KDB_POLICY_REF,		"Policy is in use"
 
 end

Modified: trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
===================================================================
--- trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c	2010-10-07 17:22:55 UTC (rev 24439)
+++ trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c	2010-10-07 17:49:44 UTC (rev 24440)
@@ -214,11 +214,12 @@
     krb5_ldap_get_value(ld, ent, "krbpwdfailurecountinterval", &(pol_entry->pw_failcnt_interval));
     krb5_ldap_get_value(ld, ent, "krbpwdlockoutduration", &(pol_entry->pw_lockout_duration));
 
-    /* Get the reference count */
-    pol_dn = ldap_get_dn(ld, ent);
-    st = krb5_ldap_get_reference_count (context, pol_dn, "krbPwdPolicyReference",
-                                        &(pol_entry->policy_refcnt), ld);
-    ldap_memfree(pol_dn);
+    /*
+     * We don't store the policy refcnt, because principals might be maintained
+     * outside of kadmin.  Instead, we will check for principal references when
+     * policies are deleted.
+     */
+    pol_entry->policy_refcnt = 0;
 
 cleanup:
     return st;
@@ -329,7 +330,7 @@
 krb5_error_code
 krb5_ldap_delete_password_policy(krb5_context context, char *policy)
 {
-    int                         mask = 0;
+    int                         mask = 0, refcount;
     char                        *policy_dn = NULL, *class[] = {"krbpwdpolicy", NULL};
     krb5_error_code             st=0;
     LDAP                        *ld=NULL;
@@ -351,6 +352,13 @@
     if (st != 0)
         goto cleanup;
 
+    st = krb5_ldap_get_reference_count(context, policy_dn,
+                                       "krbPwdPolicyReference", &refcount, ld);
+    if (st == 0 && refcount != 0)
+        st = KRB5_KDB_POLICY_REF;
+    if (st != 0)
+        goto cleanup;
+
     /* Ensure that the object is a password policy */
     if ((st=checkattributevalue(ld, policy_dn, "objectclass", class, &mask)) != 0)
         goto cleanup;

More information about the cvs-krb5 mailing list