Update LDAP docs for password lockout

The KDC now needs write access to the LDAP KDB, unless password
lockout and tracking of the last successful authentication time are
disabled.  Update the example LDAP access control configuration in
conf_ldap.rst to reflect this, add a note that only read access is
required if lockout is disabled, and add a section to lockout.rst
calling out the need for write access.  Reported by Will Fiveash.

ticket: 8452 (new)
target_version: 1.14-next
target_version: 1.13-next
tags: pullup

diff --git a/doc/admin/conf_ldap.rst b/doc/admin/conf_ldap.rst
index c8237d643d5c3c1d9b6355fa7f13fc6a7b7cc1cb..6443f46701fbf093e8cf87658b21fb91fa7de996 100644 (file)
--- a/doc/admin/conf_ldap.rst
+++ b/doc/admin/conf_ldap.rst
@@ -47,7 +47,10 @@ Configuring Kerberos with OpenLDAP back-end
     container.
 
  5. Configure the LDAP server ACLs to enable the KDC and kadmin server
-    DNs to read and write the Kerberos data.
+    DNs to read and write the Kerberos data.  If
+    **disable_last_success** and **disable_lockout** are both set to
+    true in the :ref:`dbmodules` subsection for the realm, then the
+    KDC DN only requires read access to the Kerberos data.
 
     Sample access control information::
 
@@ -67,13 +70,13 @@ Configuring Kerberos with OpenLDAP back-end
 
        # Providing access to realm container
        access to dn.subtree= "cn=EXAMPLE.COM,cn=krbcontainer,dc=example,dc=com"
-           by dn.exact="cn=kdc-service,dc=example,dc=com" read
+           by dn.exact="cn=kdc-service,dc=example,dc=com" write
            by dn.exact="cn=adm-service,dc=example,dc=com" write
            by * none
 
        # Providing access to principals, if not underneath realm container
        access to dn.subtree= "ou=users,dc=example,dc=com"
-           by dn.exact="cn=kdc-service,dc=example,dc=com" read
+           by dn.exact="cn=kdc-service,dc=example,dc=com" write
            by dn.exact="cn=adm-service,dc=example,dc=com" write
            by * none
 

diff --git a/doc/admin/lockout.rst b/doc/admin/lockout.rst
index 289394258d5c6eb88c5d9d219afb9fef0bea79b9..d262663b3eced64a564737484e51c3dce15d0c38 100644 (file)
--- a/doc/admin/lockout.rst
+++ b/doc/admin/lockout.rst
@@ -138,3 +138,13 @@ have the largest positive impact on performance, and will still allow
 account lockout policies to operate.  However, it will make it
 impossible to observe the last successful authentication time with
 kadmin.
+
+
+KDC setup and account lockout
+-----------------------------
+
+To update the account lockout state on principals, the KDC must be
+able to write to the principal database.  For the DB2 module, no
+special setup is required.  For the LDAP module, the KDC DN must be
+granted write access to the principal objects.  If the KDC DN has only
+read access, account lockout will not function.