[Freeipa-devel] Implement audit_as kdb layer function
Rob Crittenden
rcritten at redhat.com
Tue Feb 14 15:22:34 UTC 2012
Simo Sorce wrote:
> Without this function the audit counters (krbLastFailedAuth,
> krbLastSuccessfulAuth, krbLoginFailedCount) are not updated causing a
> regression.
>
> This function updates the counters unconditionally upon
> successful/failed authentication (only if pre-auth is used which is the
> default in FreeIPA).
>
> A side effect of how this is implemented is that no other attributes are
> updated when this happens so that replication is not kicked (because we
> filter audit counters from replication to avoid replication storms), in
> 2.1.x updating these counters also ended up updating krbExtraData and
> that caused replication to kick in.
>
> Simo.
This still isn't working quite right.
The user lockout is not working. The failed counter plateaus at the
lockout value (in my case 6). Any failures beyond 6 do not increment the
counter, I'm assuming there is some other interaction going on.
It does set the dates properly.
rob
More information about the Freeipa-devel
mailing list