[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: password policy enforcement

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: password policy enforcement
From: Ludovic Poitou <ludovic.poitou@france.sun.com>
Date: Wed, 01 Mar 2000 11:17:20 +0100
Cc: Dustin Sallings <dustin@spy.net>, Howard Chu <hyc@highlandsun.com>, openldap-devel@OpenLDAP.org
Organization: Sun Microsystems Inc.
References: <003701bf82a2$2031a320$0c01a8c0@fiddle.symas.com> <3.0.5.32.20000229092015.0098fcf0@infidel.boolean.net>

"Kurt D. Zeilenga" wrote:

> At 09:11 AM 2/29/00 -0800, Dustin Sallings wrote:
> >On Tue, 29 Feb 2000, Howard Chu wrote:
> >
> >       In this scenario, how would I handle a replicate slave?  I really
> >don't want them changing if the master doesn't change.  Are you saying
> >there's no place in slapd itself I can store login failure counts?
>
> I would suggest that each count be local to a server and NOT
> replicated.
>
> This may sound odd, but it actually will minimize abuse.  If
> you don't replicate the count, an attacker can get N*M attempts
> (N tries on M servers).  However, if you replicate, you can
> get much more than this by trying N on M-1 slaves and then
> trying once on master to get another N on M-1 attempts...
> this can be repeated until the master count has been exceeded.
>

This is true if you're using a integer counter. But if the failures count is
built by adding timestamps of failures, then it'll be a maximum of N * (M
-1).

Ludovic.



>
> Kurt

--
Ludovic Poitou
Sun Microsystems Inc.
iPlanet E-Commerce Solutions - Directory Group - Grenoble - France

Next by Date: root_dse problem
Index(es):
- Chronological
- Thread