git.samba.org - garming/samba-autobuild/.git/commit

author	Tim Beale <timbeale@catalyst.net.nz>
	Wed, 18 Apr 2018 02:21:46 +0000 (14:21 +1200)
committer	Garming Sam <garming@samba.org>
	Wed, 23 May 2018 04:55:31 +0000 (06:55 +0200)
commit	e40af276f8d0eb8fd7e38094101b1874177ea6b0
tree	142f2f895fea743def24f6536940423fec8bc038	tree
parent	05e25a728c9260fe1696500ed26a7c4f9ad85c57	commit \| diff

dsdb: Lookup PSO's lockout settings for password_hash modifies

When a user's password-hash is modified, we need the PSO settings for
that user, so that any lockout settings get applied correctly.

To do this, we query the msDS-ResultantPSO in the user search. Then, if
a PSO applies to the user, we add in a extra search to retrieve the
PSO's settings. Once the PSO search completes, we continue with the
modify operation.

In the event of error cases, I've tried to fallback to logging the
problem and continuing with the default domain settings. However,
unusual internal errors will still fail the operation.

We can pass the PSO result into dsdb_update_bad_pwd_count(), which means
the PSO's lockout-threshold and observation-window are now used. This is
enough to get the remaining lockout tests passing.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

selftest/knownfail.d/password_lockout	[deleted file]	blob \| history
source4/dsdb/samdb/ldb_modules/password_hash.c		diff \| blob \| history