Make KADM5_FAIL_AUTH_COUNT_INCREMENT more robust with LDAP
authorGreg Hudson <ghudson@mit.edu>
Mon, 10 May 2010 22:23:57 +0000 (22:23 +0000)
committerGreg Hudson <ghudson@mit.edu>
Mon, 10 May 2010 22:23:57 +0000 (22:23 +0000)
commitf795c92a96a2a559fe01fc5906d488167ab6b4b9
tree424066be25dee63275ffd2de7c74a01a37a88c50
parent474d090744caec0b54997d45004c8b4ea66382a2
Make KADM5_FAIL_AUTH_COUNT_INCREMENT more robust with LDAP

In krb5_ldap_put_principal, use krb5_get_attributes_mask to determine
whether krbLoginFailedCount existed on the entry when it was
retrieved.  If it didn't exist, don't try to use LDAP_MOD_INCREMENT,
and don't assert an old value when not using LDAP_MOD_INCREMENT.

Also, create the krbLoginFailedCount attribute when creating new
entries.  This allows us to use LDAP_MOD_INCREMENT during the first
failed login (if the server supports it), avoiding a race condition.

ticket: 6718
target_version: 1.8.2
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24002 dc483132-0cff-0310-8789-dd5450dbe970
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c