IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-26 08:51:50 -06:00
Code Issues Packages Projects Releases Wiki Activity
9d1ee64434
freeipa/daemons/ipa-slapi-plugins/ipa-pwd-extop
History
Rob Crittenden 3ab3578b36 On password reset also set krbLastAdminUnlock to unlock account 
This fixes the case where an account is locked on one or more servers
and the password is reset by an administrator. The account would
remain locked on those servers for the duration of the lockout.

This is done by setting krbLastAdminUnlock to the current date and
time. The lockout plugin will see this and unlock the account. Since
the value should be replicated along with the password any server
that has the new password will also be unlocked.

This does incur an additional attribute that must be replicated,
whether it is needed or not, but since lockout is computed
per-server this is the only guaranteed way to be sure that the
account will be unlocked everywhere.

My original thought was to grab password replication events and detect
whether the user was locked out and unlock them. On any given server
you can only know if the user is locked out on that server by
computing it. Doing this would require generalizing the lockout code
so it could be computed on password change. krbLastFailedAuth could
be wiped which would unlock the account on that master (the attribute
is not replicated by default).

So it is complexity vs additional replication. Assuming that admin
reset is relatively rare let's start with that. This doesn't lock
us into this solution for the future.

We could set this attribute on user-driven password changes as
well but the original ask and my thinking are that if you forgot
your password and got locked out, how can you change it yourself?
Upon reflection I guess a user could fat-finger it a bunch of times
against one IPA server then have a revelation and log in against a
different server. So they would still be locked out for the duration
on the first one. I'm not sure the extra replication is worth it for
user-generated password changes or that users would be saavy enough
to try another server for the change.

https://pagure.io/freeipa/issue/8551

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-11 10:29:25 +02:00
..
common.c On password reset also set krbLastAdminUnlock to unlock account 2020-11-11 10:29:25 +02:00
encoding.c Heap corruption in ipapwd plugin 2016-07-19 13:17:37 +02:00
ipa_pwd_extop.c CVE-2020-1722: prevent use of too long passwords 2020-04-14 12:36:01 +03:00
ipapwd.h libotp: Replace NSS with OpenSSL HMAC 2020-06-08 20:04:18 +03:00
Makefile.am libotp: Replace NSS with OpenSSL HMAC 2020-06-08 20:04:18 +03:00
otpctrl.c Rename syncreq.[ch] to otpctrl.[ch] 2016-05-26 18:47:05 +02:00
otpctrl.h Migrate from #ifndef guards to #pragma once 2016-05-29 14:04:45 +02:00
prepost.c ipa-pwd-extop: use timegm() instead of mktime() to preserve timezone offset 2020-06-08 18:06:16 +02:00
pwd-extop-conf.ldif Enable transactions by default, make password and modrdn TXN-aware 2012-11-21 14:55:12 +01:00
README Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00

README