Update kerberos password policy values on LDAP binds.

On a failed bind this will update krbLoginFailedCount and krbLastFailedAuth
and will potentially fail the bind altogether.

On a successful bind it will zero krbLoginFailedCount and set
krbLastSuccessfulAuth.

This will also enforce locked-out accounts.

See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on
kerberos lockout.

ticket 343

1 files changed, 4 insertions, 0 deletions

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 378e01234..9a121ea62 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -204,6 +204,7 @@ class DsInstance(service.Service):
         self.step("configuring uuid plugin", self.__config_uuid_module)
         self.step("configuring modrdn plugin", self.__config_modrdn_module)
         self.step("enabling entryUSN plugin", self.__enable_entryusn)
+        self.step("configuring lockout plugin", self.__config_lockout_module)
         self.step("creating indices", self.__create_indices)
         self.step("configuring ssl for ds instance", self.__enable_ssl)
         self.step("configuring certmap.conf", self.__certmap_conf)
@@ -459,6 +460,9 @@ class DsInstance(service.Service):
         self._ldap_mod("modrdn-conf.ldif")
         self._ldap_mod("modrdn-krbprinc.ldif", self.sub_dict)
 
+    def __config_lockout_module(self):
+        self._ldap_mod("lockout-conf.ldif")
+
     def __user_private_groups(self):
         if not has_managed_entries(self.fqdn, self.dm_password):
             raise errors.NotFound(reason='Missing Managed Entries Plugin')