diff options
author | Greg Hudson <ghudson@mit.edu> | 2013-11-18 18:59:17 -0500 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2013-11-18 19:21:48 -0500 |
commit | 8eb9e6fe1b01faa875dcf91b618ad4cd7793438a (patch) | |
tree | ded45280f53f6db9005da03de934f61120cad769 /doc | |
parent | 0b3225d63f50d4e6297be5d751cae1d3368fcdb1 (diff) | |
download | krb5-8eb9e6fe1b01faa875dcf91b618ad4cd7793438a.tar.gz krb5-8eb9e6fe1b01faa875dcf91b618ad4cd7793438a.tar.xz krb5-8eb9e6fe1b01faa875dcf91b618ad4cd7793438a.zip |
Clarify lockout replication issues in docs
In the "KDC replication and account lockout" section of lockout.rst,
specifically call out kprop and incremental propagation as the
mechanisms which do not replicate account lockout state, and add a
note that KDCs using LDAP may not be affected by that section's
concerns.
ticket: 7773 (new)
target_version: 1.12
tags: pullup
Diffstat (limited to 'doc')
-rw-r--r-- | doc/admin/lockout.rst | 20 |
1 files changed, 13 insertions, 7 deletions
diff --git a/doc/admin/lockout.rst b/doc/admin/lockout.rst index e52092191d..7e62841c74 100644 --- a/doc/admin/lockout.rst +++ b/doc/admin/lockout.rst @@ -95,19 +95,25 @@ This command will reset the number of failed attempts to 0. KDC replication and account lockout ----------------------------------- -The account lockout state of a principal is not replicated between -KDCs. Because of this, the number of attempts an attacker can make -within a time period is multiplied by the number of KDCs. For -instance, if the **maxfailure** parameter on a policy is 10 and there -are four KDCs in the environment (a master and three slaves), an -attacker could make as many as 40 attempts before the principal is -locked out on all four KDCs. +The account lockout state of a principal is not replicated by either +traditional :ref:`kprop(8)` or incremental propagation. Because of +this, the number of attempts an attacker can make within a time period +is multiplied by the number of KDCs. For instance, if the +**maxfailure** parameter on a policy is 10 and there are four KDCs in +the environment (a master and three slaves), an attacker could make as +many as 40 attempts before the principal is locked out on all four +KDCs. An administrative unlock is propagated from the master to the slave KDCs during the next propagation. Propagation of an administrative unlock will cause the counter of failed attempts on each slave to reset to 1 on the next failure. +If a KDC environment uses a replication strategy other than kprop or +incremental propagation, such as the LDAP KDB module with multi-master +LDAP replication, then account lockout state may be replicated between +KDCs and the concerns of this section may not apply. + KDC performance and account lockout ----------------------------------- |