[Freeipa-devel] [PATCH] 680 ldap lockout
Jan Zelený
jzeleny at redhat.com
Wed Jan 19 13:15:05 UTC 2011
Rob Crittenden <rcritten at redhat.com> wrote:
> Rob Crittenden wrote:
> > Jan Zeleny wrote:
> >> Rob Crittenden<rcritten at redhat.com> wrote:
> >>> Update kerberos password policy values on LDAP binds. This is so
> >>> locked-out accounts in kerberos don't try things using LDAP instead.
> >>>
> >>> On a failed bind this will update krbLoginFailedCount and
> >>> krbLastFailedAuth and will potentially fail the bind altogether.
> >>>
> >>> On a successful bind it will zero krbLoginFailedCount and set
> >>> krbLastSuccessfulAuth.
> >>>
> >>> This will also enforce locked-out accounts.
> >>>
> >>> See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on
> >>> kerberos lockout.
> >>>
> >>> ticket 343
> >>
> >> Ack, good job
> >>
> >> Jan
> >
> > Simo and Nathan pointed out that the update model I'm using is
> > vulnerable to multi-threaded attack and suggested that rather than using
> > REPLACE I do a DELETE/ADD to be sure that I'm updating the counter
> > appropriately. I've got the basics done, need to re-run through
> > valgrind. Will submit another patch shortly.
> >
> > rob
>
> Updated patch attached. Be more careful when updating the failed count.
>
> rob
The patch looks good and it works fine, if Simo doesn't have any more security
comments: ACK.
Jan
More information about the Freeipa-devel
mailing list