CVS update: samba/source/passdb
abartlet at samba.org
Thu Mar 18 21:26:57 GMT 2004
On Fri, 2004-03-19 at 06:22, jmcd at samba.org wrote:
> Date: Thu Mar 18 19:22:51 2004
> Author: jmcd
> Update of /home/cvs/samba/source/passdb
> In directory dp.samba.org:/tmp/cvs-serv9640/passdb
> Modified Files:
> Tag: SAMBA_3_0
> Added Files:
> Tag: SAMBA_3_0
> Log Message:
> Password lockout for LDAP backend. Caches autolock flag, bad count, and
> bad time locally, updating the directory only for hitting the policy limit
> or resetting.
> This needed to be done at the passdb level rather than auth, because some
> of the functions need to be supported from tools such as pdbedit. It was
> done at the LDAP backend level instead of generically after discussion,
> because of the complexity of inserting it at a higher level.
> The login cache read/write/delete is outside of the ldap backend, so it could
> easily be called by other backends. tdbsam won't call it for obvious
> reasons, and authors of other backends need to decide if they want to
> implement it.
Very nice work there!
My only concern is for races. If we have a password attack aimed at us,
will we always increment/check the counters correctly?
I'm thinking that for this particular case, we should have a passdb
operation (like modify etc) that is 'pdb_set_bad_password()'.
This would tie in with what I've been discussing regarding the LDAP
password policy draft, where is is suggested that for a compatible LDAP
server, that we send a 'there was a bad password' control to that LDAP
server (which would perform modifications etc).
In the case where we have a normal LDAP server, this would allow the
backend and cache to loop until the correct atomic increment has
occurred (which is not normally the desired behaviour in these
What do you think of that?
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040319/a06a1c2d/attachment.bin
More information about the samba-technical