[Date Prev][Date Next]
Re: (ITS#8185) Clarification/enhancement request: purging stale pwdFailureTime attributes
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#8185) Clarification/enhancement request: purging stale pwdFailureTime attributes
- From: email@example.com
- Date: Mon, 06 Jul 2015 17:49:53 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
On 07/06/2015 01:30 PM, Michael StrÃ¶der wrote:
> Consider that you are under on-going attack with many different
> accounts affected by the lockout treshold. Then you cannot simply wait
> for pwdFailureCountInterval seconds because your system is changing
> all the time.
> Such a situation is a real world scenario.
Ok -- I'm probably not understanding enough about your particular
scenario to fully appreciate the concerns that you express. But I think
there could be ways to address them in this enhancement -- for instance,
by adding optional parameter(s) like ppolicy_purge_failures <nfailures>
and/or ppolicy_purge_olderthan <timestamp>, which could then be
configured to accommodate the scenario you describe.
At this point, I'll think I'll leave it up to the OpenLDAP developers as
to how they want to proceed on this, and/or to ask for more information.
Thanks for the discussion Michael.