[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8185) Clarification/enhancement request: purging stale pwdFailureTime attributes

subbarao@computer.org wrote:
> On 07/06/2015 01:30 PM, Michael Ströder wrote:
>> Consider that you are under on-going attack with many different
>> accounts affected by the lockout treshold. Then you cannot simply wait
>> for pwdFailureCountInterval seconds because your system is changing
>> all the time.
>> Such a situation is a real world scenario.
> Ok -- I'm probably not understanding enough about your particular
> scenario to fully appreciate the concerns that you express. But I think
> there could be ways to address them in this enhancement -- for instance,
> by adding optional parameter(s) like ppolicy_purge_failures <nfailures>
> and/or ppolicy_purge_olderthan <timestamp>, which could then be
> configured to accommodate the scenario you describe.
> At this point, I'll think I'll leave it up to the OpenLDAP developers as
> to how they want to proceed on this, and/or to ask for more information.

I've added a pwdMaxRecordedFailure attribute to the policy schema. Overloading 
pwdMaxFailure would be a mistake.

MaxRecordedFailure will default to MaxFailure if that is set. It defaults to 5 
if nothing is set. There's no good reason to allow the timestamps to 
accumulate without bound.

This is now available for testing in git master.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/