Emmanuel Dreyfus wrote:
Hello We ran into the following problem: someone changes its password, but has a few devices with the old password recorderd. Before the user has time to update stored passwords, an buggy-client hammers servers with requests using the old password, and get the account locked by slapo-ppolicy. Perhaps there could be a setting in pwdPolicy or in slapd.conf so that there is a grace time after a password reset? For instance, the admin could configure that slapo-ppolicy should not lock a user if password has been changed less than X seconds ago. Opinions?
Opinions:First of all, password lockout itself is a dumb idea, and we only implement it because it's part of the original ppolicy spec. The ppolicy spec is pathetically bad though.
As for a grace time - that sounds like a terrible idea too, since sometimes passwords are changed with some urgency, specifically because of the imminent danger of an attack/fraudulent use.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/