[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: password policy enforcement



At 09:11 AM 2/29/00 -0800, Dustin Sallings wrote:
>On Tue, 29 Feb 2000, Howard Chu wrote:
>
>	In this scenario, how would I handle a replicate slave?  I really
>don't want them changing if the master doesn't change.  Are you saying
>there's no place in slapd itself I can store login failure counts?

I would suggest that each count be local to a server and NOT
replicated.

This may sound odd, but it actually will minimize abuse.  If
you don't replicate the count, an attacker can get N*M attempts
(N tries on M servers).  However, if you replicate, you can
get much more than this by trying N on M-1 slaves and then
trying once on master to get another N on M-1 attempts...
this can be repeated until the master count has been exceeded.

Kurt