[Freeipa-devel] [PATCH] 680 ldap lockout
Rob Crittenden
rcritten at redhat.com
Tue Jan 18 20:00:17 UTC 2011
Rob Crittenden wrote:
> Jan Zeleny wrote:
>> Rob Crittenden<rcritten at redhat.com> wrote:
>>> Update kerberos password policy values on LDAP binds. This is so
>>> locked-out accounts in kerberos don't try things using LDAP instead.
>>>
>>> On a failed bind this will update krbLoginFailedCount and
>>> krbLastFailedAuth and will potentially fail the bind altogether.
>>>
>>> On a successful bind it will zero krbLoginFailedCount and set
>>> krbLastSuccessfulAuth.
>>>
>>> This will also enforce locked-out accounts.
>>>
>>> See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on
>>> kerberos lockout.
>>>
>>> ticket 343
>>
>> Ack, good job
>>
>> Jan
>
> Simo and Nathan pointed out that the update model I'm using is
> vulnerable to multi-threaded attack and suggested that rather than using
> REPLACE I do a DELETE/ADD to be sure that I'm updating the counter
> appropriately. I've got the basics done, need to re-run through
> valgrind. Will submit another patch shortly.
>
> rob
Updated patch attached. Be more careful when updating the failed count.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-680-2-lockout.patch
Type: text/x-patch
Size: 26562 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110118/5a37c250/attachment.bin>
More information about the Freeipa-devel
mailing list