Martin Kosek wrote:
On 03/11/2013 10:07 PM, Rob Crittenden wrote:
Fixed a number of issues applying password policy against LDAP binds.
See patch
for details.


I see some issues with this fix:

1) Shouldn't group password policy serve only as an override to the main
policy? I.e. if I have this policy:

# ipa pwpolicy-show test
   Group: test
   Priority: 10
   Max failures: 2

We should still follow settings other than "Max failures" configured in
global policy, right? At least the Kerberos seem to do it. I think we
should be consistent in this case. Now, other values just seem to be zero.

There should be only one policy. It isn't supposed to merge policies together (there is only one krbPwdPolicyReference per principal).

How is the KDC acting differently?

I think we will need to fix both the pre-op and the post-op to make this
working really consistently.

2) The lockout post-op still counts failed logins even though we are in
lockout time, is this expected? It is another point if inconsistency
with Kerberos auth. It leaves user's krbloginfailedcount stay on "Max


3) Sometimes, I get into a state when I lockout a new user with Kerberos
and then wait some time until the lockout time passes (no admin unlock),
I am able to run as many LDAP binds as I want.

Can you clarify? Successful or unsuccessful binds?

This is all I found so far. Honza is also reviewing it, so I will let
him post hist findings too.



Freeipa-devel mailing list

Reply via email to