login policy plugins? (was Re: Lists of LDAP requirements
Will Fiveash
William.Fiveash at sun.com
Wed Jul 19 20:47:46 EDT 2006
On Tue, Jul 18, 2006 at 02:23:15PM -0500, Will Fiveash wrote:
> Sun Kerberos LDAP Plugin Requirements
> - I Schema
> - 1 krb principal attributes missing
> There are attributes missing that are needed to satisfy
> customer requirements. Should a krbLog structural object class
> similar to the IBM Skibbie schema be used for this?
> - last_success
> - last_failed
> - failed_auth_count
In regards to the missing items above I found a description of how to
deal with maintaining failed authentication count in
draft-behera-ldap-password-policy.txt. In the draft there is:
5.3.4 pwdFailureTime
This attribute holds the timestamps of the consecutive authentication
failures.
( 1.3.6.1.4.1.42.2.27.8.1.19
NAME 'pwdFailureTime'
DESC 'The timestamps of the last consecutive authentication
failures'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
NO-USER-MODIFICATION
USAGE directoryOperation )
So instead of using a single value attribute for failed_auth_count, a
multi-value attribute holding time-stamps of each failure to verify the
padata of a AS_REQ (the hostname of the KDC could be added for
uniqueness) could be used to track the failed_auth_count. This would
help with dir. replication issues. Unfortunately, I don't think the
DAL/SPI interface supports this in that the LDAP plugin would need to
update the time-stamp attribute but it can not determine when this needs
to be done.
This leads me to wonder if there should be a separate plugin interface
for dealing with login policy where login policy plugins would be called
by the KDC to determine if an AS_REP should be issued and when AS_REQ
padata verification fails. The login policy plugin would deal with the
specifics of acquiring the login policy and logging success and
failures. Thoughts?
--
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
More information about the krbdev
mailing list