[Freeipa-devel] Kerberos lockout policy
Simo Sorce
ssorce at redhat.com
Fri Aug 27 18:37:22 UTC 2010
On Fri, 27 Aug 2010 14:35:34 -0400
Rob Crittenden <rcritten at redhat.com> wrote:
> Simo Sorce wrote:
> > On Fri, 27 Aug 2010 09:41:57 -0400
> > Rob Crittenden<rcritten at redhat.com> wrote:
> >
> >> We had talked about this at one point, perhaps in irc, and there
> >> was some reluctance to do this since every time a user logs in a
> >> number of attributes can get updated. The concern was the
> >> additional load added by replication. The suggested fix was to
> >> simply not replicate these.
> >
> > Rob, we do not want to replicate counters or timestamps, but we
> > certainly want to replicate an account lock. It should happen rarely
> > enough to reach that stage that we can replicate nsAccountLock
> > easily.
> >
> > Simo.
> >
>
> I don't think that nsAccountLock gets set in this case. The KDC
> evaluates the attributes on-the-fly as far as I can tell.
That would be a problem I guess.
Maybe we need some patching of the ldap database plugin ...
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list