concerns with ldap plugin and 1.5
Nicolas Williams
Nicolas.Williams at sun.com
Thu Jun 1 12:38:11 EDT 2006
On Wed, May 31, 2006 at 07:53:57PM -0500, Will Fiveash wrote:
> - As Nico points out in another e-mail, several principal attributes
> (last_success, last_failed, failed_auth_count) found in the
> krb5_db_entry struct are not found in the current schema. Is there a
> reason they are missing?
I think failed_auth_count is really difficult to get right with standard
directory servers.
For some DSs you might have to write plug-ins for them to handle
concurrent increments/resets correctly. Other DSs may not fare as well.
Sam points to draft-zeilenga-ldap-incr-01.txt... But I'd rather see a
solution that works with off-the-shelf directory servers. Perhaps
something where the KDC creates bad login log entries as new objects of
a logging class; then to implement N-strikes requires querying for
recent log entries... The cost is an extra search per-AS-REQ processed
(but the N-strikes processing could be done elsewhere).
Nico
--
More information about the krbdev
mailing list