[Freeipa-devel] [PATCH] 1092 Fix LDAP lockout plugin
Martin Kosek
mkosek at redhat.com
Fri Mar 15 10:19:12 UTC 2013
On 03/11/2013 10:07 PM, Rob Crittenden wrote:
> Fixed a number of issues applying password policy against LDAP binds. See patch
> for details.
>
> rob
>
I see some issues with this fix:
1) Shouldn't group password policy serve only as an override to the main
policy? I.e. if I have this policy:
# ipa pwpolicy-show test
Group: test
Priority: 10
Max failures: 2
We should still follow settings other than "Max failures" configured in global
policy, right? At least the Kerberos seem to do it. I think we should be
consistent in this case. Now, other values just seem to be zero.
I think we will need to fix both the pre-op and the post-op to make this
working really consistently.
2) The lockout post-op still counts failed logins even though we are in lockout
time, is this expected? It is another point if inconsistency with Kerberos
auth. It leaves user's krbloginfailedcount stay on "Max failures".
3) Sometimes, I get into a state when I lockout a new user with Kerberos and
then wait some time until the lockout time passes (no admin unlock), I am able
to run as many LDAP binds as I want.
This is all I found so far. Honza is also reviewing it, so I will let him post
hist findings too.
Martin
More information about the Freeipa-devel
mailing list