Jan Zeleny wrote:
Rob Crittenden<rcrit...@redhat.com>  wrote:
Update kerberos password policy values on LDAP binds. This is so
locked-out accounts in kerberos don't try things using LDAP instead.

On a failed bind this will update krbLoginFailedCount and
krbLastFailedAuth and will potentially fail the bind altogether.

On a successful bind it will zero krbLoginFailedCount and set
krbLastSuccessfulAuth.

This will also enforce locked-out accounts.

See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on
kerberos lockout.

ticket 343

Ack, good job

Jan

Simo and Nathan pointed out that the update model I'm using is vulnerable to multi-threaded attack and suggested that rather than using REPLACE I do a DELETE/ADD to be sure that I'm updating the counter appropriately. I've got the basics done, need to re-run through valgrind. Will submit another patch shortly.

rob

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to