Currently, with some careful timing, one can fairly easily perform a replay attack. This is done by logging into a different server, taking advantage of the delay in replication. Preventing this, or at least making it difficult to exploit, should be pursued.
We do not even have a solution yet, it is a fundamental problem of a distributed system.
Different approaches were proposed on the development discussion, but no conclusion yet. Either approach would require big code changes, so we need to move to at least to 4.2.
The FreeIPA 4.2 was already shaped (see [[milestone:FreeIPA 4.2]] milestone), this does not fit. Pushing out.
If anyone is willing to help and contribute to this one, please let us know!
Metadata Update from @npmccallum: - Issue assigned to someone - Issue set to the milestone: Future Releases
Login to comment on this ticket.