[Freeipa-devel] [PATCH] 680 ldap lockout
Rob Crittenden
rcritten at redhat.com
Tue Jan 18 14:29:17 UTC 2011
Jan Zeleny wrote:
> Rob Crittenden<rcritten at redhat.com> wrote:
>> Update kerberos password policy values on LDAP binds. This is so
>> locked-out accounts in kerberos don't try things using LDAP instead.
>>
>> On a failed bind this will update krbLoginFailedCount and
>> krbLastFailedAuth and will potentially fail the bind altogether.
>>
>> On a successful bind it will zero krbLoginFailedCount and set
>> krbLastSuccessfulAuth.
>>
>> This will also enforce locked-out accounts.
>>
>> See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on
>> kerberos lockout.
>>
>> ticket 343
>
> Ack, good job
>
> Jan
Simo and Nathan pointed out that the update model I'm using is
vulnerable to multi-threaded attack and suggested that rather than using
REPLACE I do a DELETE/ADD to be sure that I'm updating the counter
appropriately. I've got the basics done, need to re-run through
valgrind. Will submit another patch shortly.
rob
More information about the Freeipa-devel
mailing list