[Date Prev][Date Next] [Chronological] [Thread] [Top]

Password policy: possible DoS scenario


Thanks to everyone having answered me earlier, I've managed to set up
password policy on the OpenLDAP provided in CentOS 5.5 repositories
(current version 2.3.43).

The setup: we have password policy enabled for users accounts in our
intranet. After 5 unsuccessful attempts the account is blocked for short
duration (30 seconds).

Does that mean that anyone now can keep all the accounts blocked most of
the time? Am I right that if anyone enters someone else' incorrect
password 5 times (in the given case), they will block the target account
(regardless of what IP address the attacker was connecting from)?

Narrower question: do password policy module developers plan to take
into account what IPs are used to connect (thus, blocking only access
from specific IPs)?

All the best,