[Freeipa-devel] [PATCH] 1092 Fix LDAP lockout plugin
Rob Crittenden
rcritten at redhat.com
Fri Mar 15 15:42:41 UTC 2013
Rob Crittenden wrote:
> Martin Kosek wrote:
>> On 03/11/2013 10:07 PM, Rob Crittenden wrote:
>>> Fixed a number of issues applying password policy against LDAP binds.
>>> See patch
>>> for details.
>>>
>>> rob
>>>
>>
>> I see some issues with this fix:
>>
>> 1) Shouldn't group password policy serve only as an override to the main
>> policy? I.e. if I have this policy:
>>
>> # ipa pwpolicy-show test
>> Group: test
>> Priority: 10
>> Max failures: 2
>>
>> We should still follow settings other than "Max failures" configured in
>> global policy, right? At least the Kerberos seem to do it. I think we
>> should be consistent in this case. Now, other values just seem to be
>> zero.
>
> There should be only one policy. It isn't supposed to merge policies
> together (there is only one krbPwdPolicyReference per principal).
>
> How is the KDC acting differently?
>
>> I think we will need to fix both the pre-op and the post-op to make this
>> working really consistently.
>>
>> 2) The lockout post-op still counts failed logins even though we are in
>> lockout time, is this expected? It is another point if inconsistency
>> with Kerberos auth. It leaves user's krbloginfailedcount stay on "Max
>> failures".
>
> Ok.
>
>>
>> 3) Sometimes, I get into a state when I lockout a new user with Kerberos
>> and then wait some time until the lockout time passes (no admin unlock),
>> I am able to run as many LDAP binds as I want.
>
> Can you clarify? Successful or unsuccessful binds?
>
>> This is all I found so far. Honza is also reviewing it, so I will let
>> him post hist findings too.
>>
>> Martin
Here is an updated patch to not increment past the max failures on LDAP
binds.
I couldn't reproduce your 3rd point.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-1092-2-lockout.patch
Type: text/x-diff
Size: 11105 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130315/eed3a90e/attachment.bin>
More information about the Freeipa-devel
mailing list