CVS update: samba/source/passdb
Andrew Bartlett
abartlet at samba.org
Thu Mar 18 21:26:57 GMT 2004
On Fri, 2004-03-19 at 06:22, jmcd at samba.org wrote:
> Date: Thu Mar 18 19:22:51 2004
> Author: jmcd
>
> Update of /home/cvs/samba/source/passdb
> In directory dp.samba.org:/tmp/cvs-serv9640/passdb
>
> Modified Files:
> Tag: SAMBA_3_0
> pdb_ldap.c
> Added Files:
> Tag: SAMBA_3_0
> login_cache.c
> Log Message:
> Password lockout for LDAP backend. Caches autolock flag, bad count, and
> bad time locally, updating the directory only for hitting the policy limit
> or resetting.
>
> This needed to be done at the passdb level rather than auth, because some
> of the functions need to be supported from tools such as pdbedit. It was
> done at the LDAP backend level instead of generically after discussion,
> because of the complexity of inserting it at a higher level.
>
> The login cache read/write/delete is outside of the ldap backend, so it could
> easily be called by other backends. tdbsam won't call it for obvious
> reasons, and authors of other backends need to decide if they want to
> implement it.
Very nice work there!
My only concern is for races. If we have a password attack aimed at us,
will we always increment/check the counters correctly?
I'm thinking that for this particular case, we should have a passdb
operation (like modify etc) that is 'pdb_set_bad_password()'.
This would tie in with what I've been discussing regarding the LDAP
password policy draft, where is is suggested that for a compatible LDAP
server, that we send a 'there was a bad password' control to that LDAP
server (which would perform modifications etc).
In the case where we have a normal LDAP server, this would allow the
backend and cache to loop until the correct atomic increment has
occurred (which is not normally the desired behaviour in these
database-like backends).
What do you think of that?
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040319/a06a1c2d/attachment.bin
More information about the samba-technical
mailing list