From f7bc394144a5e8f9aa6cb06859899300c089b3ff Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Mon, 30 Aug 2021 22:20:12 +0000
Subject: [PATCH] kerberos/kdc: Don't use lockout or last login Try to avoid
 writing to LDAP when running kinit.

---
 roles/kerberos/kdc/templates/kdc.conf.j2 | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/roles/kerberos/kdc/templates/kdc.conf.j2 b/roles/kerberos/kdc/templates/kdc.conf.j2
index 0a70dce..fb915a3 100644
--- a/roles/kerberos/kdc/templates/kdc.conf.j2
+++ b/roles/kerberos/kdc/templates/kdc.conf.j2
@@ -23,6 +23,8 @@
 [dbmodules]
   ldap.{{ kerberos_realm|lower() }} = {
     db_library = kldap
+    disable_last_success = true
+    disable_lockout  = true
     ldap_kerberos_container_dn = "ou=System,{{ ldap_basedn }}"
     ldap_kdc_dn = "uid=krb5kdc,cn={{ kerberos_realm }},ou=System,{{ ldap_basedn }}"
     ldap_kadmind_dn = "uid=krb5kadmin,cn={{ kerberos_realm }},ou=System,{{ ldap_basedn }}"