[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] password policy: delayed failures

To: Jim Willeke <jim@willeke.com>
Subject: Re: [ldapext] password policy: delayed failures
From: Kurt Zeilenga <Kurt.Zeilenga@isode.com>
Date: Thu, 1 Jul 2010 06:47:04 -0700
Cc: ldapext <ldapext@ietf.org>
Delivered-to: ldapext@core3.amsl.com
In-reply-to: <AANLkTimB8WFsdBlS2dCeBkh1Ic1OLEuRV89BFgQ9Lv0y@mail.gmail.com>
References: <904B994B-050F-42B1-937C-96883C436A11@Isode.com> <4C2B8F7C.1010900@highlandsun.com> <DCC90442-9909-49E0-9760-B7D1178A930E@Isode.com> <AANLkTimB8WFsdBlS2dCeBkh1Ic1OLEuRV89BFgQ9Lv0y@mail.gmail.com>

On Jul 1, 2010, at 3:28 AM, Jim Willeke wrote:

> Just a comment on our experiences with LDAP server delays on failed bind attempts.
> 
> We have encountered issues with applications when there is a delay between failed attempts.
> When there is an delay, the application is left waiting for a response from the server.
> 
> This was the case with Novell's eDirectory for many years, there was a fixed delay, and due to this condition, Novell added a feature to make the delay adjustable.
> 
> If the delay is 3 seconds and five people in a row fail there password, the application can only handle 5 people in 15 seconds, which is an eternity in our context.

I noted this in my original comment and first followup, including providing two possible solutions.  I favor adding an "authenticate" extended operation.

-- Kurt
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www.ietf.org/mailman/listinfo/ldapext

Follow-Ups:
- Re: [ldapext] password policy: delayed failures
  - From: Kurt Zeilenga <Kurt.Zeilenga@Isode.com>

References:
- Re: [ldapext] password policy: delayed failures
  - From: Jim Willeke <jim@willeke.com>

Prev by Date: Re: [ldapext] password policy: delayed failures
Next by Date: Re: [ldapext] password policy: delayed failures
Index(es):
- Chronological
- Thread