[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: password policy - alternate lockout mechanism

Aravind Gottipati wrote:
On Tue, Jan 27, 2009 at 2:01 PM, Clowser, Jeff
<jeff_clowser@fanniemae.com>  wrote:
I will say that if such an enhancement *were* to be implemented, it
would probably eliminate almost all our false positives and only lock
out users for extreme cases and genuine attacks...

Yup, this is proving to be a pita for us. Folks login from multiple machines and get locked out when they forget to propagate their password changes to all those machines.

Also, I am not sure how this will be any greater security risk than
the current system of storing a SSHA hash of the current password
within LDAP?  We could store similar hashes of all the passwords tried
(upto pwdMaxFailure) and compare against that?

I'm wondering if that's even necessary. According to your description so far, it would be sufficient to only store 1 failed password. If as you say, the same password is tried multiple times, then this should be good enough.

Short of actually coding this up myself, what can I do to move it
along to at least a feature request that will be considered?

Feature requests are treated like anything else. http://www.openldap.org/its/

And again, the Project is run on a volunteer basis. If no one in the community is interested in writing code for this feature, it will be ignored.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/