Simo Sorce wrote:
Without this function the audit counters (krbLastFailedAuth,
krbLastSuccessfulAuth, krbLoginFailedCount) are not updated causing a
This function updates the counters unconditionally upon
successful/failed authentication (only if pre-auth is used which is the
default in FreeIPA).
A side effect of how this is implemented is that no other attributes are
updated when this happens so that replication is not kicked (because we
filter audit counters from replication to avoid replication storms), in
2.1.x updating these counters also ended up updating krbExtraData and
that caused replication to kick in.
This still isn't working quite right.
The user lockout is not working. The failed counter plateaus at the
lockout value (in my case 6). Any failures beyond 6 do not increment the
counter, I'm assuming there is some other interaction going on.
It does set the dates properly.
Freeipa-devel mailing list