On Wed, 19 Jan 2011 14:15:05 +0100 Jan Zelený <jzel...@redhat.com> wrote:
> Rob Crittenden <rcrit...@redhat.com> wrote: > > Rob Crittenden wrote: > > > Jan Zeleny wrote: > > >> Rob Crittenden<rcrit...@redhat.com> wrote: > > >>> Update kerberos password policy values on LDAP binds. This is so > > >>> locked-out accounts in kerberos don't try things using LDAP > > >>> instead. > > >>> > > >>> On a failed bind this will update krbLoginFailedCount and > > >>> krbLastFailedAuth and will potentially fail the bind altogether. > > >>> > > >>> On a successful bind it will zero krbLoginFailedCount and set > > >>> krbLastSuccessfulAuth. > > >>> > > >>> This will also enforce locked-out accounts. > > >>> > > >>> See http://k5wiki.kerberos.org/wiki/Projects/Lockout for > > >>> details on kerberos lockout. > > >>> > > >>> ticket 343 > > >> > > >> Ack, good job > > >> > > >> Jan > > > > > > Simo and Nathan pointed out that the update model I'm using is > > > vulnerable to multi-threaded attack and suggested that rather > > > than using REPLACE I do a DELETE/ADD to be sure that I'm updating > > > the counter appropriately. I've got the basics done, need to > > > re-run through valgrind. Will submit another patch shortly. > > > > > > rob > > > > Updated patch attached. Be more careful when updating the failed > > count. > > > > rob > > The patch looks good and it works fine, if Simo doesn't have any more > security comments: ACK. Patch looks good to me. I only wonder if it would make sense to try to cache the entry between the pre-op and the post-op, but given it is just fetched I guess DS caches it in memory anyways, so probably not a big deal in any case. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel