CVS update: samba/source/passdb

Andrew Bartlett abartlet at samba.org
Thu Mar 18 21:26:57 GMT 2004 

On Fri, 2004-03-19 at 06:22, jmcd at samba.org wrote:
> Date:	Thu Mar 18 19:22:51 2004
> Author:	jmcd
> 
> Update of /home/cvs/samba/source/passdb
> In directory dp.samba.org:/tmp/cvs-serv9640/passdb
> 
> Modified Files:
>       Tag: SAMBA_3_0
> 	pdb_ldap.c 
> Added Files:
>       Tag: SAMBA_3_0
> 	login_cache.c 
> Log Message:
> Password lockout for LDAP backend.  Caches autolock flag, bad count, and
> bad time locally, updating the directory only for hitting the policy limit
> or resetting.
>                                                                                 
> This needed to be done at the passdb level rather than auth, because some
> of the functions need to be supported from tools such as pdbedit.  It was
> done at the LDAP backend level instead of generically after discussion,
> because of the complexity of inserting it at a higher level.
> 
> The login cache read/write/delete is outside of the ldap backend, so it could
> easily be called by other backends.  tdbsam won't call it for obvious
> reasons, and authors of other backends need to decide if they want to 
> implement it.

Very nice work there!

My only concern is for races.  If we have a password attack aimed at us,
will we always increment/check the counters correctly?  

I'm thinking that for this particular case, we should have a passdb
operation (like modify etc) that is 'pdb_set_bad_password()'.  

This would tie in with what I've been discussing regarding the LDAP
password policy draft, where is is suggested that for a compatible LDAP
server, that we send a 'there was a bad password' control to that LDAP
server (which would perform modifications etc).

In the case where we have a normal LDAP server, this would allow the
backend and cache to loop until the correct atomic increment has
occurred (which is not normally the desired behaviour in these
database-like backends).

What do you think of that?

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040319/a06a1c2d/attachment.bin

More information about the samba-technical mailing list