Update kerberos password policy values on LDAP binds.

On a failed bind this will update krbLoginFailedCount and krbLastFailedAuth and will potentially fail the bind altogether. On a successful bind it will zero krbLoginFailedCount and set krbLastSuccessfulAuth. This will also enforce locked-out accounts. See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on kerberos lockout. ticket 343
2025-02-25 18:55:28 -06:00 · 2011-01-18 14:58:58 -05:00
parent 4361cd0242
commit cf9ec1c427
7 changed files with 712 additions and 0 deletions
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -204,6 +204,7 @@ class DsInstance(service.Service):
        self.step("configuring uuid plugin", self.__config_uuid_module)
        self.step("configuring modrdn plugin", self.__config_modrdn_module)
        self.step("enabling entryUSN plugin", self.__enable_entryusn)
+        self.step("configuring lockout plugin", self.__config_lockout_module)
        self.step("creating indices", self.__create_indices)
        self.step("configuring ssl for ds instance", self.__enable_ssl)
        self.step("configuring certmap.conf", self.__certmap_conf)
@@ -459,6 +460,9 @@ class DsInstance(service.Service):
        self._ldap_mod("modrdn-conf.ldif")
        self._ldap_mod("modrdn-krbprinc.ldif", self.sub_dict)

+    def __config_lockout_module(self):
+        self._ldap_mod("lockout-conf.ldif")
+
    def __user_private_groups(self):
        if not has_managed_entries(self.fqdn, self.dm_password):
            raise errors.NotFound(reason='Missing Managed Entries Plugin')