[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6835) extend pwFailureTime timestamp to microsecond resolution to improve pwdMaxFailure enforcement

Full_Name: Brian Wasserman
Version: 2.4.21-0ubuntu5.3
OS: Ubuntu 10.04
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

More than pwdMaxFailure attempts can be made before locking out an account if
multiple attempts are made within the same second since it'll only log one
pwdFailureTime per second.  This is because the timestamp is stored in second
resolution.  Changing this timestamp to use microsecond resolution should
minimize this limitation.

In order to reproduce the problem by exceeding the number of max failures
configured, just attempt to bind to a server with the policy below (or similar)
multiple times per second with a valid user and observer the number of
pwdFailureTime entries that are added to the given account.  The account is
locked after three pwdFailureTime entries are added, regardless of the number of
actual attempts.

Here's my policy configuration:
dn: cn=Standard,ou=Policies,dc=local,dc=com
cn: Standard
description: Standard password policy.
pwdAttribute: userPassword
pwdCheckQuality: 1
pwdLockout: TRUE
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: TRUE
objectClass: device
objectClass: pwdPolicy
pwdInHistory: 3
pwdMaxFailure: 3
pwdMinLength: 8
pwdMaxAge: 7776000
pwdMinAge: 86400