[Date Prev][Date Next]
Re: password policy enforcement
"Kurt D. Zeilenga" wrote:
> At 09:11 AM 2/29/00 -0800, Dustin Sallings wrote:
> >On Tue, 29 Feb 2000, Howard Chu wrote:
> > In this scenario, how would I handle a replicate slave? I really
> >don't want them changing if the master doesn't change. Are you saying
> >there's no place in slapd itself I can store login failure counts?
> I would suggest that each count be local to a server and NOT
> This may sound odd, but it actually will minimize abuse. If
> you don't replicate the count, an attacker can get N*M attempts
> (N tries on M servers). However, if you replicate, you can
> get much more than this by trying N on M-1 slaves and then
> trying once on master to get another N on M-1 attempts...
> this can be repeated until the master count has been exceeded.
This is true if you're using a integer counter. But if the failures count is
built by adding timestamps of failures, then it'll be a maximum of N * (M
Sun Microsystems Inc.
iPlanet E-Commerce Solutions - Directory Group - Grenoble - France