[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-devel] Implement audit_as kdb layer function



Simo Sorce wrote:
Without this function the audit counters (krbLastFailedAuth,
krbLastSuccessfulAuth, krbLoginFailedCount) are not updated causing a
regression.

This function updates the counters unconditionally upon
successful/failed authentication (only if pre-auth is used which is the
default in FreeIPA).

A side effect of how this is implemented is that no other attributes are
updated when this happens so that replication is not kicked (because we
filter audit counters from replication to avoid replication storms), in
2.1.x updating these counters also ended up updating krbExtraData and
that caused replication to kick in.

Simo.

This still isn't working quite right.

The user lockout is not working. The failed counter plateaus at the lockout value (in my case 6). Any failures beyond 6 do not increment the counter, I'm assuming there is some other interaction going on.

It does set the dates properly.

rob


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]