krb5 commit [krb5-1.13]: Update LDAP docs for password lockout
Tom Yu
tlyu at mit.edu
Fri Jul 15 15:10:50 EDT 2016
https://github.com/krb5/krb5/commit/81010f3f731b0d66478c23db91aa4eaf95fa4d50
commit 81010f3f731b0d66478c23db91aa4eaf95fa4d50
Author: Greg Hudson <ghudson at mit.edu>
Date: Thu Jul 7 16:58:02 2016 -0400
Update LDAP docs for password lockout
The KDC now needs write access to the LDAP KDB, unless password
lockout and tracking of the last successful authentication time are
disabled. Update the example LDAP access control configuration in
conf_ldap.rst to reflect this, add a note that only read access is
required if lockout is disabled, and add a section to lockout.rst
calling out the need for write access. Reported by Will Fiveash.
[ci skip]
(cherry picked from commit c6550832235c63ccfaceb61864e887a675b02619)
ticket: 8452
version_fixed: 1.13.6
tags: -pullup
status: resolved
doc/admin/conf_ldap.rst | 9 ++++++---
doc/admin/lockout.rst | 10 ++++++++++
2 files changed, 16 insertions(+), 3 deletions(-)
diff --git a/doc/admin/conf_ldap.rst b/doc/admin/conf_ldap.rst
index c8237d6..6443f46 100644
--- a/doc/admin/conf_ldap.rst
+++ b/doc/admin/conf_ldap.rst
@@ -47,7 +47,10 @@ Configuring Kerberos with OpenLDAP back-end
container.
5. Configure the LDAP server ACLs to enable the KDC and kadmin server
- DNs to read and write the Kerberos data.
+ DNs to read and write the Kerberos data. If
+ **disable_last_success** and **disable_lockout** are both set to
+ true in the :ref:`dbmodules` subsection for the realm, then the
+ KDC DN only requires read access to the Kerberos data.
Sample access control information::
@@ -67,13 +70,13 @@ Configuring Kerberos with OpenLDAP back-end
# Providing access to realm container
access to dn.subtree= "cn=EXAMPLE.COM,cn=krbcontainer,dc=example,dc=com"
- by dn.exact="cn=kdc-service,dc=example,dc=com" read
+ by dn.exact="cn=kdc-service,dc=example,dc=com" write
by dn.exact="cn=adm-service,dc=example,dc=com" write
by * none
# Providing access to principals, if not underneath realm container
access to dn.subtree= "ou=users,dc=example,dc=com"
- by dn.exact="cn=kdc-service,dc=example,dc=com" read
+ by dn.exact="cn=kdc-service,dc=example,dc=com" write
by dn.exact="cn=adm-service,dc=example,dc=com" write
by * none
diff --git a/doc/admin/lockout.rst b/doc/admin/lockout.rst
index 7e62841..8c98aea 100644
--- a/doc/admin/lockout.rst
+++ b/doc/admin/lockout.rst
@@ -138,3 +138,13 @@ have the largest positive impact on performance, and will still allow
account lockout policies to operate. However, it will make it
impossible to observe the last successful authentication time with
kadmin.
+
+
+KDC setup and account lockout
+-----------------------------
+
+To update the account lockout state on principals, the KDC must be
+able to write to the principal database. For the DB2 module, no
+special setup is required. For the LDAP module, the KDC DN must be
+granted write access to the principal objects. If the KDC DN has only
+read access, account lockout will not function.
More information about the cvs-krb5
mailing list