[Freeipa-devel] [PATCH] 1092 Fix LDAP lockout plugin
Jan Cholasta
jcholast at redhat.com
Fri Mar 15 11:18:06 UTC 2013
On 15.3.2013 11:19, Martin Kosek wrote:
> I see some issues with this fix:
>
> 1) Shouldn't group password policy serve only as an override to the main
> policy? I.e. if I have this policy:
>
> # ipa pwpolicy-show test
> Group: test
> Priority: 10
> Max failures: 2
>
> We should still follow settings other than "Max failures" configured in
> global policy, right? At least the Kerberos seem to do it. I think we
> should be consistent in this case. Now, other values just seem to be zero.
>
> I think we will need to fix both the pre-op and the post-op to make this
> working really consistently.
+1, noticed this as well.
>
> 2) The lockout post-op still counts failed logins even though we are in
> lockout time, is this expected? It is another point if inconsistency
> with Kerberos auth. It leaves user's krbloginfailedcount stay on "Max
> failures".
>
> 3) Sometimes, I get into a state when I lockout a new user with Kerberos
> and then wait some time until the lockout time passes (no admin unlock),
> I am able to run as many LDAP binds as I want.
>
> This is all I found so far. Honza is also reviewing it, so I will let
> him post hist findings too.
The commit message says "was being applied properly", when it should say
"was being applied improperly".
I have added steps to reproduce the issues the patch fixes to the
ticket: <https://fedorahosted.org/freeipa/ticket/3433#comment:6>
Honza
--
Jan Cholasta
More information about the Freeipa-devel
mailing list