[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8185) Clarification/enhancement request: purging stale pwdFailureTime attributes

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8185) Clarification/enhancement request: purging stale pwdFailureTime attributes
From: subbarao@computer.org
Date: Mon, 06 Jul 2015 17:49:53 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

On 07/06/2015 01:30 PM, Michael StrÃ¶der wrote:
> Consider that you are under on-going attack with many different 
> accounts affected by the lockout treshold. Then you cannot simply wait 
> for pwdFailureCountInterval seconds because your system is changing 
> all the time.
>
> Such a situation is a real world scenario.

Ok -- I'm probably not understanding enough about your particular 
scenario to fully appreciate the concerns that you express. But I think 
there could be ways to address them in this enhancement -- for instance, 
by adding optional parameter(s) like ppolicy_purge_failures <nfailures> 
and/or ppolicy_purge_olderthan <timestamp>, which could then be 
configured to accommodate the scenario you describe.

At this point, I'll think I'll leave it up to the OpenLDAP developers as 
to how they want to proceed on this, and/or to ask for more information.

Thanks for the discussion Michael.

Regards,

     -Kartik

Prev by Date: Re: (ITS#8185) Clarification/enhancement request: purging stale pwdFailureTime attributes
Next by Date: (ITS#8190) LMDB cursor bug
Index(es):
- Chronological
- Thread