[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8185) Clarification/enhancement request: purging stale pwdFailureTime attributes

To: openldap-its@OpenLDAP.org
Subject: (ITS#8185) Clarification/enhancement request: purging stale pwdFailureTime attributes
From: subbarao@computer.org
Date: Thu, 02 Jul 2015 19:59:39 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Kartik Subbarao
Version: 2.4.40
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (173.75.228.155)


Reading the slapo-ppolicy man page, I was optimistically expecting that excess
stale pwdFailureTime values might be removed from the entry after pwdMaxFailure
was exceeded. For example, if pwdMaxFailure is 5, then only the most recent 5
pwdFailureTime values would be kept, and the old ones purged as and when new
failed bind attempts were made.

This wording in the slapo-ppolicy man page sounds friendly towards this
interpretation: "Excess timestamps beyond those allowed by pwdMaxFailure may
also be purged."

Looking at the source code though, it doesn't seem that pwdFailureTime values
are actually removed unless a successful bind occurs -- whereupon all values of
course are removed.

I would like to request an enhancement to purge stale pwdFailureTime values as
mentioned above. This would also largely mitigate the issue raised in ITS#7089
without needing to develop more involved code for that. The common theme is to
ensure that pwdFailureTime values can't keep accumulating without bound, due to
broken/misconfigured clients that are beyond the LDAP server administrator's
control.

Prev by Date: (ITS#8184) MOD operation with a double delete of a pwdFailureTime attribute
Next by Date: Re: (ITS#8185) Clarification/enhancement request: purging stale pwdFailureTime attributes
Index(es):
- Chronological
- Thread