[Date Prev][Date Next]
Re: Server side delay for bad passwords?
Dan White skrev, on 07-02-2008 18:42:
I understand that I could implement the password policy overlay to
temporarily lockout an account once it's reached a certain number of bad
password attempts, but I believe that only applies to simple (-x) binds.
Is that correct?
My site's running ppolicy on 2.3 on Linux for gdm logins with great
success; however, my understanding is, that it only cares about
pam/pam_exop calls (presumably also similar from dedicated client or
proxy software). Looking at the relevant operational attributes in gq,
one can see that each failed login is recorded tn the pwdFailureTime
attribute. Doing a repeated ldapsearch -x on an account with an invalid
password doesn't make the blindest bit of difference to this attribute
and multiple failed attempts are allowed.
I've also wanted what you want but refuse to publish site email
addresses on the Internet to all and sundry. At the moment authorized
users can obtain site-specific info by logging into webmail, which uses
Email: tonni at hetnet dot nl