login policy plugins? (was Re: Lists of LDAP requirements

Will Fiveash William.Fiveash at sun.com
Wed Jul 19 20:47:46 EDT 2006

On Tue, Jul 18, 2006 at 02:23:15PM -0500, Will Fiveash wrote:

> Sun Kerberos LDAP Plugin Requirements
> - I Schema
>    - 1 krb principal attributes missing
>         There are attributes missing that are needed to satisfy
>         customer requirements.  Should a krbLog structural object class
>         similar to the IBM Skibbie schema be used for this?
>       - last_success
>       - last_failed
>       - failed_auth_count

In regards to the missing items above I found a description of how to
deal with maintaining failed authentication count in
draft-behera-ldap-password-policy.txt.  In the draft there is:

5.3.4  pwdFailureTime

   This attribute holds the timestamps of the consecutive authentication
      NAME 'pwdFailureTime'
      DESC 'The timestamps of the last consecutive authentication
      EQUALITY generalizedTimeMatch
      ORDERING generalizedTimeOrderingMatch
      USAGE directoryOperation )

So instead of using a single value attribute for failed_auth_count, a
multi-value attribute holding time-stamps of each failure to verify the
padata of a AS_REQ (the hostname of the KDC could be added for
uniqueness) could be used to track the failed_auth_count.  This would
help with dir. replication issues.  Unfortunately, I don't think the
DAL/SPI interface supports this in that the LDAP plugin would need to
update the time-stamp attribute but it can not determine when this needs
to be done.

This leads me to wonder if there should be a separate plugin interface
for dealing with login policy where login policy plugins would be called
by the KDC to determine if an AS_REP should be issued and when AS_REQ
padata verification fails.  The login policy plugin would deal with the
specifics of acquiring the login policy and logging success and
failures.  Thoughts?

Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)

More information about the krbdev mailing list