[Freeipa-devel] [PATCH] 1092 Fix LDAP lockout plugin
Rob Crittenden
rcritten at redhat.com
Fri Mar 15 13:34:47 UTC 2013
Martin Kosek wrote:
> On 03/11/2013 10:07 PM, Rob Crittenden wrote:
>> Fixed a number of issues applying password policy against LDAP binds.
>> See patch
>> for details.
>>
>> rob
>>
>
> I see some issues with this fix:
>
> 1) Shouldn't group password policy serve only as an override to the main
> policy? I.e. if I have this policy:
>
> # ipa pwpolicy-show test
> Group: test
> Priority: 10
> Max failures: 2
>
> We should still follow settings other than "Max failures" configured in
> global policy, right? At least the Kerberos seem to do it. I think we
> should be consistent in this case. Now, other values just seem to be zero.
There should be only one policy. It isn't supposed to merge policies
together (there is only one krbPwdPolicyReference per principal).
How is the KDC acting differently?
> I think we will need to fix both the pre-op and the post-op to make this
> working really consistently.
>
> 2) The lockout post-op still counts failed logins even though we are in
> lockout time, is this expected? It is another point if inconsistency
> with Kerberos auth. It leaves user's krbloginfailedcount stay on "Max
> failures".
Ok.
>
> 3) Sometimes, I get into a state when I lockout a new user with Kerberos
> and then wait some time until the lockout time passes (no admin unlock),
> I am able to run as many LDAP binds as I want.
Can you clarify? Successful or unsuccessful binds?
> This is all I found so far. Honza is also reviewing it, so I will let
> him post hist findings too.
>
> Martin
rob
More information about the Freeipa-devel
mailing list