[Freeipa-devel] Kerberos lockout policy
Rob Crittenden
rcritten at redhat.com
Fri Aug 27 18:35:34 UTC 2010
Simo Sorce wrote:
> On Fri, 27 Aug 2010 09:41:57 -0400
> Rob Crittenden<rcritten at redhat.com> wrote:
>
>> We had talked about this at one point, perhaps in irc, and there was
>> some reluctance to do this since every time a user logs in a number
>> of attributes can get updated. The concern was the additional load
>> added by replication. The suggested fix was to simply not replicate
>> these.
>
> Rob, we do not want to replicate counters or timestamps, but we
> certainly want to replicate an account lock. It should happen rarely
> enough to reach that stage that we can replicate nsAccountLock easily.
>
> Simo.
>
I don't think that nsAccountLock gets set in this case. The KDC
evaluates the attributes on-the-fly as far as I can tell.
rob
More information about the Freeipa-devel
mailing list