[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: password policy enforcement
At 09:11 AM 2/29/00 -0800, Dustin Sallings wrote:
>On Tue, 29 Feb 2000, Howard Chu wrote:
>
> In this scenario, how would I handle a replicate slave? I really
>don't want them changing if the master doesn't change. Are you saying
>there's no place in slapd itself I can store login failure counts?
I would suggest that each count be local to a server and NOT
replicated.
This may sound odd, but it actually will minimize abuse. If
you don't replicate the count, an attacker can get N*M attempts
(N tries on M servers). However, if you replicate, you can
get much more than this by trying N on M-1 slaves and then
trying once on master to get another N on M-1 attempts...
this can be repeated until the master count has been exceeded.
Kurt