[Freeipa-devel] [PATCH] 1073 honor disabling lockout in ipa_lockout
Rob Crittenden
rcritten at redhat.com
Wed Dec 5 15:41:27 UTC 2012
Simo Sorce wrote:
> On Tue, 2012-12-04 at 15:03 -0500, Rob Crittenden wrote:
>> Simo Sorce wrote:
>>> On Tue, 2012-12-04 at 11:51 -0500, Rob Crittenden wrote:
>>>> Two options were added to the kdb backend to disable writes. The
>>>> ipa_lockout plugin needs to honor these as well.
>>>
>>> Oh I saw it assigned to me and was going to propose a similar patch.
>>> Thanks for getting there first :-)
>>>
>>> But one q. I wonder if we shouldn't share the code to audit stuff
>>> between the kdb plugin and the ldap plugin, this split sounds like it is
>>> going to byte us again if we need to change behavior.
>>>
>>> What do you think ?
>>>
>>> Simo.
>>>
>>
>> I figured that since I wrote the lockout plugin I should fix this :-)
>>
>> I think that sharing the logic of the lockout is a great idea. I'm not
>> entirely sure if all the LDAP-ey code can be made totally generic (one
>> runs as an internal plugin of 389-ds, the other other in side the KDC)
>> but at least the evaluation logic can be consolidated.
>
> We already share code between the password plugin and the kdb driver for
> password relate stuff, we just need to be smart :-)
>
>> Are you proposing that as part of this fix or as a future enhancement?
>
> Nah, let's open a ticket for 3.2, I do not want to delay this fix, which
> *is* sufficient to address the bug.
>
> So ACK.
>
> Simo.
>
pushed to master and ipa-3-0
More information about the Freeipa-devel
mailing list