[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: password policy - alternate lockout mechanism

To: Aravind Gottipati <aravind@freeshell.org>
Subject: Re: password policy - alternate lockout mechanism
From: Howard Chu <hyc@symas.com>
Date: Wed, 28 Jan 2009 13:55:31 -0800
Cc: openldap-software@openldap.org
In-reply-to: <a1348d630901281315md8b28d2x51ff6a2b4b09f4aa@mail.gmail.com>
References: <a1348d630901261702h2bc88204o2b21b549e18e936a@mail.gmail.com> <497F4421.5030700@symas.com> <a1348d630901271107t2d5514b4t399c741bf7b00d6e@mail.gmail.com> <C65F80C878CCF24A9BC19646DE2DCA62021C0623@EXVG.fanniemae.com> <38622554-0C30-4C95-BCDB-9452FC24DA8B@OpenLDAP.org> <C65F80C878CCF24A9BC19646DE2DCA62021C0628@EXVG.fanniemae.com> <a1348d630901281315md8b28d2x51ff6a2b4b09f4aa@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9.1b3pre) Gecko/20090115 SeaMonkey/2.0a1pre Firefox/3.0.3

Aravind Gottipati wrote:

On Tue, Jan 27, 2009 at 2:01 PM, Clowser, Jeff
<jeff_clowser@fanniemae.com>  wrote:

I will say that if such an enhancement *were* to be implemented, it
would probably eliminate almost all our false positives and only lock
out users for extreme cases and genuine attacks...


Yup, this is proving to be a pita for us.  Folks login from multiple
machines and get locked out when they forget to propagate their
password changes to all those machines.

Also, I am not sure how this will be any greater security risk than
the current system of storing a SSHA hash of the current password
within LDAP?  We could store similar hashes of all the passwords tried
(upto pwdMaxFailure) and compare against that?

I'm wondering if that's even necessary. According to your description so far, it would be sufficient to only store 1 failed password. If as you say, the same password is tried multiple times, then this should be good enough.

Short of actually coding this up myself, what can I do to move it
along to at least a feature request that will be considered?


Feature requests are treated like anything else.
http://www.openldap.org/its/

And again, the Project is run on a volunteer basis. If no one in the community is interested in writing code for this feature, it will be ignored.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- RE: password policy - alternate lockout mechanism
  - From: "Clowser, Jeff" <jeff_clowser@fanniemae.com>

References:
- password policy - alternate lockout mechanism
  - From: Aravind Gottipati <aravind@freeshell.org>
- Re: password policy - alternate lockout mechanism
  - From: Howard Chu <hyc@symas.com>
- Re: password policy - alternate lockout mechanism
  - From: Aravind Gottipati <aravind@freeshell.org>
- RE: password policy - alternate lockout mechanism
  - From: "Clowser, Jeff" <jeff_clowser@fanniemae.com>
- Re: password policy - alternate lockout mechanism
  - From: Kurt Zeilenga <Kurt@OpenLDAP.org>
- RE: password policy - alternate lockout mechanism
  - From: "Clowser, Jeff" <jeff_clowser@fanniemae.com>
- Re: password policy - alternate lockout mechanism
  - From: Aravind Gottipati <aravind@freeshell.org>

Prev by Date: Re: password policy - alternate lockout mechanism
Next by Date: RE: password policy - alternate lockout mechanism
Index(es):
- Chronological
- Thread