krb5_db_init being used in do_as_req.c

Ken Raeburn raeburn at MIT.EDU
Tue Aug 29 08:42:22 EDT 2006

On Aug 29, 2006, at 07:57, Anil Belur wrote:
> We are enabling the LDAP plugin to update the attributes like
> krbLastSuccessfulAuth, krbLastFailedAuth and krbLoginFailedCount.
> I came across some parts of the code are which are not DAL enabled.
> These parts of the code contains reference to krb5_db_init and
> krb5_db_set_name API's. (do_as_req.c and loadv4.c)

Yes, the KDC database updates aren't a mode we test a lot, and  
obviously haven't with the LDAP plugin code.  (Or, more correctly,  
with the DAL changes, even if we just use the db back end.)  I guess  
I should probably disable that option until we can make it work.

It's going to need some rethinking for the LDAP case anyways, because  
a "login failed count" value can't be reliably updated by multiple  
KDCs without some kind of locking.  Not that the right thing would  
ever happen with the counts from the slave KDCs in the earlier  
versions, either....


More information about the Kerberos mailing list