Simo Sorce wrote:
On Wed, 19 Jan 2011 14:15:05 +0100
Jan Zelený<jzel...@redhat.com> wrote:
Rob Crittenden<rcrit...@redhat.com> wrote:
Rob Crittenden wrote:
Jan Zeleny wrote:
Rob Crittenden<rcrit...@redhat.com> wrote:
Update kerberos password policy values on LDAP binds. This is so
locked-out accounts in kerberos don't try things using LDAP
instead.
On a failed bind this will update krbLoginFailedCount and
krbLastFailedAuth and will potentially fail the bind altogether.
On a successful bind it will zero krbLoginFailedCount and set
krbLastSuccessfulAuth.
This will also enforce locked-out accounts.
See http://k5wiki.kerberos.org/wiki/Projects/Lockout for
details on kerberos lockout.
ticket 343
Ack, good job
Jan
Simo and Nathan pointed out that the update model I'm using is
vulnerable to multi-threaded attack and suggested that rather
than using REPLACE I do a DELETE/ADD to be sure that I'm updating
the counter appropriately. I've got the basics done, need to
re-run through valgrind. Will submit another patch shortly.
rob
Updated patch attached. Be more careful when updating the failed
count.
rob
The patch looks good and it works fine, if Simo doesn't have any more
security comments: ACK.
Patch looks good to me.
I only wonder if it would make sense to try to cache the entry between
the pre-op and the post-op, but given it is just fetched I guess DS
caches it in memory anyways, so probably not a big deal in any case.
Simo.
pushed to master
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
