freeipa/daemons/ipa-slapi-plugins
Rob Crittenden 3ab3578b36 On password reset also set krbLastAdminUnlock to unlock account
This fixes the case where an account is locked on one or more servers
and the password is reset by an administrator. The account would
remain locked on those servers for the duration of the lockout.

This is done by setting krbLastAdminUnlock to the current date and
time. The lockout plugin will see this and unlock the account. Since
the value should be replicated along with the password any server
that has the new password will also be unlocked.

This does incur an additional attribute that must be replicated,
whether it is needed or not, but since lockout is computed
per-server this is the only guaranteed way to be sure that the
account will be unlocked everywhere.

My original thought was to grab password replication events and detect
whether the user was locked out and unlock them. On any given server
you can only know if the user is locked out on that server by
computing it. Doing this would require generalizing the lockout code
so it could be computed on password change. krbLastFailedAuth could
be wiped which would unlock the account on that master (the attribute
is not replicated by default).

So it is complexity vs additional replication. Assuming that admin
reset is relatively rare let's start with that. This doesn't lock
us into this solution for the future.

We could set this attribute on user-driven password changes as
well but the original ask and my thinking are that if you forgot
your password and got locked out, how can you change it yourself?
Upon reflection I guess a user could fat-finger it a bunch of times
against one IPA server then have a revelation and log in against a
different server. So they would still be locked out for the duration
on the first one. I'm not sure the extra replication is worth it for
user-generated password changes or that users would be saavy enough
to try another server for the change.

https://pagure.io/freeipa/issue/8551

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-11 10:29:25 +02:00
..
common Migrate from #ifndef guards to #pragma once 2016-05-29 14:04:45 +02:00
ipa-cldap Easier to use ipa_gethostfqdn() 2020-10-26 17:11:19 +11:00
ipa-dns slapi plugins: fix CFLAGS 2017-03-15 08:55:12 +00:00
ipa-enrollment slapi plugins: fix CFLAGS 2017-03-15 08:55:12 +00:00
ipa-extdom-extop extdom-extop: refactor tests to use unshare+chroot to override nss_files configuration 2020-08-04 18:43:22 +03:00
ipa-lockout slapi plugins: fix CFLAGS 2017-03-15 08:55:12 +00:00
ipa-modrdn slapi plugins: fix CFLAGS 2017-03-15 08:55:12 +00:00
ipa-otp-counter slapi plugins: fix CFLAGS 2017-03-15 08:55:12 +00:00
ipa-otp-lasttoken User must not be able to delete his last active otp token 2018-02-15 14:10:48 +01:00
ipa-pwd-extop On password reset also set krbLastAdminUnlock to unlock account 2020-11-11 10:29:25 +02:00
ipa-range-check slapi plugins: fix CFLAGS 2017-03-15 08:55:12 +00:00
ipa-sidgen ipa-sidgen: make internal fetch_attr helper really internal 2018-12-14 14:04:02 +01:00
ipa-uuid 389-ds-base crashed as part of ipa-server-intall in ipa-uuid 2017-11-08 08:06:35 +01:00
ipa-version slapi plugins: fix CFLAGS 2017-03-15 08:55:12 +00:00
ipa-winsync slapi plugins: fix CFLAGS 2017-03-15 08:55:12 +00:00
libotp Fix compiler warnings in libotp 2020-09-26 10:43:42 +03:00
topology Cleanup shebang and executable bit 2018-07-05 19:46:42 +02:00
Makefile.am Build: remove incorrect use of MAINTAINERCLEANFILES 2016-11-16 09:12:07 +01:00
README Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00