More comments (Re: [Kdc-info] Preliminary draft of LDAP Kerberos schema)

[Nicolas Williams]

I think attributes for recording the time of the last good and bad AS
exchange pre-authentication would be good, and password-based vs.  other
pre-auth mechanisms should be distinguished.

I don't think there should be a bad login count attribute though as I
don't see how it can be safely incremented/reset in a *portable* (w.r.t.
DSes, which I'm sure MIT would want) way given DSes that do multi-master
replication.  I think that N-strikes-you're-locked (even with timeouts)
is a misguided feature, but customers ask for it, so a safe way (or
close to it) of counting bad logins may yet be needed; I do believe this
is feasible, I even think I know how to accomplish this.  The KDC schema
should address this.

Meanwhile, code currently enabled at compile time when
KRBCONF_KDC_MODIFIES_KDB is defined should instead be enabled
at runtime when the KDB supports multi-master replication.

Nico
--