[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: password policy enforcement

"Kurt D. Zeilenga" wrote:

> At 09:11 AM 2/29/00 -0800, Dustin Sallings wrote:
> >On Tue, 29 Feb 2000, Howard Chu wrote:
> >
> >       In this scenario, how would I handle a replicate slave?  I really
> >don't want them changing if the master doesn't change.  Are you saying
> >there's no place in slapd itself I can store login failure counts?
> I would suggest that each count be local to a server and NOT
> replicated.
> This may sound odd, but it actually will minimize abuse.  If
> you don't replicate the count, an attacker can get N*M attempts
> (N tries on M servers).  However, if you replicate, you can
> get much more than this by trying N on M-1 slaves and then
> trying once on master to get another N on M-1 attempts...
> this can be repeated until the master count has been exceeded.

This is true if you're using a integer counter. But if the failures count is
built by adding timestamps of failures, then it'll be a maximum of N * (M


> Kurt

Ludovic Poitou
Sun Microsystems Inc.
iPlanet E-Commerce Solutions - Directory Group - Grenoble - France