Red Hat Bugzilla – Bug 971087
[RFE] Replicate failed login attribute (krbLoginFailedCount)
Last modified: 2018-01-16 16:58:16 EST
1. Proposed title of this feature request
IPA Failed Login Replication
2. Who is the customer behind the request? Northrup Grumman
Account: name (acct #)1267526
3. What is the nature and description of the request?
Failed login attempts need to be replicated throughout the environement such that a user that has used all their failed logins gets locked out of the environement instead of just the one IPA server that the failed logins were on.
4. Why do you need this? (List the business requirements here)
This a big security issue and a government requirement.
5. How would you like to achieve this? (List the functional requirements here)
No special requirements. It just needs to be replicated throughout all IPA servers.
6. For each functional requirement listed, specify how Red Hat and you can test to confirm the requirement is successfully implemented.
7. Is there already an existing RFE upstream or in Red Hat Bugzilla?
8. Do you have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?
Not specific Timeline but quicker is better
9. Is the sales team involved in this request and do they have any additional input?
10. List any affected packages or components.
11. Would you be able to assist in testing this functionality if implemented?
Yes - as much as possible within and possibly outside of a classified network.
Simo/Rob - were there any specific decision done in the past that lead us to avoid replicating failed logins?
This is BTW the list of our currently non-replicated attrs:
# meTovm-119.idm.lab.bos.redhat.com, replica, dc\3Didm\2Cdc\3Dlab\2Cdc\3Dbos\
2Cdc\3Dredhat\2Cdc\3Dcom, mapping tree, config
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial
entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts
uccessfulauth krblastfailedauth krbloginfailedcount
Maybe we should allow users to leave "krblastsuccessfulauth krblastfailedauth krbloginfailedcount" out of the blacklist...
Every single authentication attempt, successful or not, would result in a replication event. Our feeling was that even on a small to moderately sized installation this would cause issues.
Hello all, Has there been any progress on this? What's the latest word?
(In reply to Jesse Triplett from comment #10)
> Hello all, Has there been any progress on this? What's the latest word?
Looks like a fix is targeted for RHEL 6.6
Correct, the upstream ticket was filed and triaged, first designs were created. As Rich said, this Bugzilla is currently targeted for RHEL 6.6.
*** Bug 1137024 has been marked as a duplicate of this bug. ***
could you please let us know what is the timeline this bug will be fixed.
With Bug 1298848 being currently scheduled for RHEL-7.3, it should be possible to specify attributes that should or should not be replicated in different segments of the Topology.
Ludwig, can you please assess if this RFE can be satisfied with the current Topology feature as is or more work is needed? (which would mean the RFE is not provided in 7.3)
The feature to specify different attrlist for different segments is there in the topology plugin, but it was there already before by directly modifying the replication agreements.
What was missing and what is still missing is support from the cli or gui to change these settings or to specify a different default at server installation.
As one of the replication dependencies has been resolved under
is there any chance of some movement on resolving this issue as part of
*** Bug 1523066 has been marked as a duplicate of this bug. ***