More comments (Re: [Kdc-info] Preliminary draft of LDAP Kerberos schema)
Nicolas.Williams at sun.com
Wed May 31 15:53:00 EDT 2006
I think attributes for recording the time of the last good and bad AS
exchange pre-authentication would be good, and password-based vs. other
pre-auth mechanisms should be distinguished.
I don't think there should be a bad login count attribute though as I
don't see how it can be safely incremented/reset in a *portable* (w.r.t.
DSes, which I'm sure MIT would want) way given DSes that do multi-master
replication. I think that N-strikes-you're-locked (even with timeouts)
is a misguided feature, but customers ask for it, so a safe way (or
close to it) of counting bad logins may yet be needed; I do believe this
is feasible, I even think I know how to accomplish this. The KDC schema
should address this.
Meanwhile, code currently enabled at compile time when
KRBCONF_KDC_MODIFIES_KDB is defined should instead be enabled
at runtime when the KDB supports multi-master replication.
More information about the krbdev