Bug 971087 - [RFE] Replicate failed login attribute (krbLoginFailedCount)
Summary: [RFE] Replicate failed login attribute (krbLoginFailedCount)
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa   
(Show other bugs)
Version: 7.0
Hardware: Unspecified Unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Namita Soman
Keywords: FutureFeature
: 1137024 1523066 (view as bug list)
Depends On:
Blocks: 1203710 1420851
TreeView+ depends on / blocked
Reported: 2013-06-05 16:05 UTC by Jesse Triplett
Modified: 2019-01-08 22:36 UTC (History)
21 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
FedoraHosted FreeIPA 3863 None None None 2017-12-10 22:20 UTC
FedoraHosted FreeIPA 4302 None None None 2017-12-10 22:22 UTC

Description Jesse Triplett 2013-06-05 16:05:22 UTC
1. Proposed title of this feature request
IPA Failed Login Replication

2. Who is the customer behind the request? Northrup Grumman
Account: name (acct #)1267526

3. What is the nature and description of the request?
Failed login attempts need to be replicated throughout the environement such that a user that has used all their failed logins gets locked out of the environement instead of just the one IPA server that the failed logins were on.

4. Why do you need this? (List the business requirements here)
This a big security issue and a government requirement.

5. How would you like to achieve this? (List the functional requirements here)
No special requirements. It just needs to be replicated throughout all IPA servers.

6. For each functional requirement listed, specify how Red Hat and you can test to confirm the requirement is successfully implemented.

7. Is there already an existing RFE upstream or in Red Hat Bugzilla?

8. Do you have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?
Not specific Timeline but quicker is better

9. Is the sales team involved in this request and do they have any additional input?

10. List any affected packages or components.

11. Would you be able to assist in testing this functionality if implemented?
Yes - as much as possible within and possibly outside of a classified network.

Comment 2 Martin Kosek 2013-06-06 07:45:54 UTC
Simo/Rob - were there any specific decision done in the past that lead us to avoid replicating failed logins?

This is BTW the list of our currently non-replicated attrs:
# meTovm-119.idm.lab.bos.redhat.com, replica, dc\3Didm\2Cdc\3Dlab\2Cdc\3Dbos\
 2Cdc\3Dredhat\2Cdc\3Dcom, mapping tree, config
dn: cn=meTovm-119.idm.lab.bos.redhat.com,cn=replica,cn=dc\3Didm\2Cdc\3Dlab\2Cd
 c\3Dbos\2Cdc\3Dredhat\2Cdc\3Dcom,cn=mapping tree,cn=config
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial
  entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts
 uccessfulauth krblastfailedauth krbloginfailedcount

Maybe we should allow users to leave "krblastsuccessfulauth krblastfailedauth krbloginfailedcount" out of the blacklist...

Comment 3 Rob Crittenden 2013-06-06 18:34:44 UTC
Every single authentication attempt, successful or not, would result in a replication event. Our feeling was that even on a small to moderately sized installation this would cause issues.

Comment 6 Martin Kosek 2013-06-07 06:22:43 UTC
Upstream ticket:

Comment 10 Jesse Triplett 2013-07-31 17:00:16 UTC
Hello all, Has there been any progress on this?  What's the latest word?

Comment 11 Rich Megginson 2013-07-31 17:08:47 UTC
(In reply to Jesse Triplett from comment #10)
> Hello all, Has there been any progress on this?  What's the latest word?

Looks like a fix is targeted for RHEL 6.6

Comment 12 Martin Kosek 2013-08-01 07:02:38 UTC
Correct, the upstream ticket was filed and triaged, first designs were created. As Rich said, this Bugzilla is currently targeted for RHEL 6.6.

Comment 22 Eugene Keck 2014-09-04 14:17:49 UTC
*** Bug 1137024 has been marked as a duplicate of this bug. ***

Comment 23 Arpit Tolani 2016-01-13 23:27:01 UTC

could you please let us know what is the timeline this bug will be fixed.

Thank you.

Comment 24 Martin Kosek 2016-06-10 08:04:54 UTC
With Bug 1298848 being currently scheduled for RHEL-7.3, it should be possible to specify attributes that should or should not be replicated in different segments of the Topology.

Ludwig, can you please assess if this RFE can be satisfied with the current Topology feature as is or more work is needed? (which would mean the RFE is not provided in 7.3)

Comment 25 Ludwig 2016-06-10 08:22:02 UTC
The feature to specify different attrlist for different segments is there in the topology plugin, but it was there already before by directly modifying the replication agreements. 
What was missing and what is still missing is support from the cli or gui to change these settings or to specify a different default at server installation.

Comment 32 Steven Ellis 2017-12-10 22:24:37 UTC
As one of the replication dependencies has been resolved under
 - https://pagure.io/freeipa/issue/4302
is there any chance of some movement on resolving this issue as part of
 - https://pagure.io/freeipa/issue/3863

Comment 33 Florence Blanc-Renaud 2017-12-15 17:02:56 UTC
*** Bug 1523066 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.