[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8185) Clarification/enhancement request: purging stale pwdFailureTime attributes

On 07/06/2015 01:30 PM, Michael Ströder wrote:
> Consider that you are under on-going attack with many different 
> accounts affected by the lockout treshold. Then you cannot simply wait 
> for pwdFailureCountInterval seconds because your system is changing 
> all the time.
> Such a situation is a real world scenario.

Ok -- I'm probably not understanding enough about your particular 
scenario to fully appreciate the concerns that you express. But I think 
there could be ways to address them in this enhancement -- for instance, 
by adding optional parameter(s) like ppolicy_purge_failures <nfailures> 
and/or ppolicy_purge_olderthan <timestamp>, which could then be 
configured to accommodate the scenario you describe.

At this point, I'll think I'll leave it up to the OpenLDAP developers as 
to how they want to proceed on this, and/or to ask for more information.

Thanks for the discussion Michael.