Rob Crittenden <[email protected]> wrote: > Rob Crittenden wrote: > > Jan Zeleny wrote: > >> Rob Crittenden<[email protected]> wrote: > >>> Update kerberos password policy values on LDAP binds. This is so > >>> locked-out accounts in kerberos don't try things using LDAP instead. > >>> > >>> On a failed bind this will update krbLoginFailedCount and > >>> krbLastFailedAuth and will potentially fail the bind altogether. > >>> > >>> On a successful bind it will zero krbLoginFailedCount and set > >>> krbLastSuccessfulAuth. > >>> > >>> This will also enforce locked-out accounts. > >>> > >>> See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on > >>> kerberos lockout. > >>> > >>> ticket 343 > >> > >> Ack, good job > >> > >> Jan > > > > Simo and Nathan pointed out that the update model I'm using is > > vulnerable to multi-threaded attack and suggested that rather than using > > REPLACE I do a DELETE/ADD to be sure that I'm updating the counter > > appropriately. I've got the basics done, need to re-run through > > valgrind. Will submit another patch shortly. > > > > rob > > Updated patch attached. Be more careful when updating the failed count. > > rob
The patch looks good and it works fine, if Simo doesn't have any more security comments: ACK. Jan _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
