[Freeipa-devel] [PATCH] 1073 honor disabling lockout in ipa_lockout
Simo Sorce
simo at redhat.com
Tue Dec 4 20:12:12 UTC 2012
On Tue, 2012-12-04 at 15:03 -0500, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Tue, 2012-12-04 at 11:51 -0500, Rob Crittenden wrote:
> >> Two options were added to the kdb backend to disable writes. The
> >> ipa_lockout plugin needs to honor these as well.
> >
> > Oh I saw it assigned to me and was going to propose a similar patch.
> > Thanks for getting there first :-)
> >
> > But one q. I wonder if we shouldn't share the code to audit stuff
> > between the kdb plugin and the ldap plugin, this split sounds like it is
> > going to byte us again if we need to change behavior.
> >
> > What do you think ?
> >
> > Simo.
> >
>
> I figured that since I wrote the lockout plugin I should fix this :-)
>
> I think that sharing the logic of the lockout is a great idea. I'm not
> entirely sure if all the LDAP-ey code can be made totally generic (one
> runs as an internal plugin of 389-ds, the other other in side the KDC)
> but at least the evaluation logic can be consolidated.
We already share code between the password plugin and the kdb driver for
password relate stuff, we just need to be smart :-)
> Are you proposing that as part of this fix or as a future enhancement?
Nah, let's open a ticket for 3.2, I do not want to delay this fix, which
*is* sufficient to address the bug.
So ACK.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list