On 15.3.2013 11:19, Martin Kosek wrote:
I see some issues with this fix:

1) Shouldn't group password policy serve only as an override to the main
policy? I.e. if I have this policy:

# ipa pwpolicy-show test
   Group: test
   Priority: 10
   Max failures: 2

We should still follow settings other than "Max failures" configured in
global policy, right? At least the Kerberos seem to do it. I think we
should be consistent in this case. Now, other values just seem to be zero.

I think we will need to fix both the pre-op and the post-op to make this
working really consistently.

+1, noticed this as well.

2) The lockout post-op still counts failed logins even though we are in
lockout time, is this expected? It is another point if inconsistency
with Kerberos auth. It leaves user's krbloginfailedcount stay on "Max

3) Sometimes, I get into a state when I lockout a new user with Kerberos
and then wait some time until the lockout time passes (no admin unlock),
I am able to run as many LDAP binds as I want.

This is all I found so far. Honza is also reviewing it, so I will let
him post hist findings too.

The commit message says "was being applied properly", when it should say "was being applied improperly".

I have added steps to reproduce the issues the patch fixes to the ticket: <https://fedorahosted.org/freeipa/ticket/3433#comment:6>


Jan Cholasta

Freeipa-devel mailing list

Reply via email to