[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy overlay and disk space exhaution

To: openldap-technical@openldap.org
Subject: Re: ppolicy overlay and disk space exhaution
From: Bruncko Michal <Michal.Bruncko@zssos.sk>
Date: Mon, 22 Feb 2016 13:22:17 +0100
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=zssos.sk; s=default; t=1456143737; bh=0L9/cIegY5tUjwW+59te6uwNqcug8US3Zy9HXvPu4e4=; h=MIME-Version:Content-Type:Content-Transfer-Encoding:Date:From:To: Subject:In-Reply-To:References:Message-ID; b=MF8vSDBE6FAqWEA3TQsD46lXgACJbYfPCmkduOVTz9FzL/jU5f7hNsnL2MCQ4yuLo fBFI50Av8nPTrz0rTWjOG4GPd3tX7cZz8OKK2FlsLvOTQHpb+WrQQBY1yBo12WLDzk nV618FXtsLXRi01dxAiEvRoQZSVNQkksESCy/5oY=
In-reply-to: <28E03EA9-1294-4A46-B680-E42E296F182B@ee.ryerson.ca>
Organization: Spojená škola, Ružomberok
References: <1329d2f946577f59e1d55d284988a806@zssos.sk> <56C9EA65.70907@symas.com> <28E03EA9-1294-4A46-B680-E42E296F182B@ee.ryerson.ca>
User-agent: Spojená škola, Ružomberok, Roundcube Webmail

Hello David

thanks for reply. this script can be useful, but it does not improvethis situation anyhow. for each failed bind attempt new value forpwdFailureTime attribute will be created anyway which result in samemodification operation with utilizing transaction log.that script is helpful to reduce overall number of values ofpwdFailureTime attribute which are already in LDAP DB.

this could be helpful as well: configuration variable which definesmaximum values for pwdFailureTime. and in case that number of actualvalues reached max value, do not update that attribute anymore. Yes,this will store NUM oldest failed attempts, but ensure thatpwdFailureTime will not be updated forever. but this seems to be requestfor ppolicy overlay code update rather than any external script.


thanks

michal

On 2016-02-22 3:38, David Magda wrote:

On Feb 21, 2016, at 11:48, Howard Chu <hyc@symas.com> wrote:

Bruncko Michal wrote:
Hello list
We use ppolicy overlay for enforcing password lifecycle. Recently wefacedwith following issue and now I am trying to do some countermeasuresto
minimize risk of issue reoccurring.
[…]
now the question: did anybody considered this "effect" of using
"pwdFailureTime" attribute? If so, what can I do to avoid thisbehavior tooccur? Or how you are facing with this potential kind of issues? Onone sideit is fine to see some failure attempt history. Also keepingpwdFailureTime
limited to some max number of values will not help as the LDAP modify
operation have to be done anyway. For me the only useful possibilityis to NOTuse this attribute pwdFailureTime at all, but how to do it? I haven'tfound
any possibility to disable using this attribute.
This is ITS#8327. The fix is released in 2.4.44.

You should upgrade.
You should not be using any BerkeleyDB-based backends, use back-mdbwhich does not need transaction log files.
If you cannot upgrade for some reason, someone wrote a Perl script
that deletes ‘excessive' pwdFailureTime attributes:

	http://www.openldap.org/lists/openldap-bugs/201507/msg00012.html

Follow-Ups:
- Re: ppolicy overlay and disk space exhaution
  - From: David Magda <dmagda@ee.ryerson.ca>

References:
- ppolicy overlay and disk space exhaution
  - From: Bruncko Michal <Michal.Bruncko@zssos.sk>
- Re: ppolicy overlay and disk space exhaution
  - From: Howard Chu <hyc@symas.com>
- Re: ppolicy overlay and disk space exhaution
  - From: David Magda <dmagda@ee.ryerson.ca>

Prev by Date: Re: ppolicy overlay and disk space exhaution
Next by Date: Re: "LDAP ease modify restrictions" support
Index(es):
- Chronological
- Thread