[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ppolicy module limited to catching 1 login failure per second?
- To: openldap-technical@openldap.org
- Subject: ppolicy module limited to catching 1 login failure per second?
- From: "Paul B. Henson" <henson@acm.org>
- Date: Sun, 27 Apr 2014 19:29:06 -0700
- Content-disposition: inline
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:to:subject:message-id:mime-version:content-type :content-disposition:user-agent; bh=QQjGUPuYA4qxel21CWpdV8oggGIRt0ZAz1HVYh2Iq08=; b=Ko9e3pv9wYsWfg0sPajTXPhYy2VTE7p/rdXpSG7cTzRbsDbtsyHkyUXQwMIr4s5gVK lW5GPe0uJv0jkuF+TyCHDUD8NUjadkJIB4JuiKuwnJ0FaZTp4eBskucBmvA9wOE3xoFj wPa3wpWKKJDMeg0Az2i2n6xfAZfIlsJGRocjj/MWP4dPjndfYKEGsIjHGt0fdxLC5SD4 jetdo1ns9Jzc9/eRJj35Ek9SKEbFJgJe5U12YvTNuM2PofsotolDjGrFtinZh3Erru45 oQDKsuaWzN+zUqKvJcCLYBTFXUNf3zwJmUMjvCOIo5BfdK4lddPWX/JvK6ffDQqAxvDE bMbA==
- User-agent: Mutt/1.5.23 (2014-03-12)
We're testing the ppolicy module for the purposes of enabling account
lockout on our ldap infrastructure. During initial testing, I noticed
that it didn't seem to be catching all of the failed logins, and then
realized that the pwdFailureTime attribute in which they are stored
seems to have a granularity of only 1 second?
So, if there are 100 failed logins in 1 second, for the purposes of
account lockout, the password policy module only records them all as 1
failed login? Such that if you had a pwdMaxFailure set to 100, an
intruder would actually be able to get in 10000 password guess attempts
before the account was actually locked out?
Am I misunderstanding something here? Is there anyway to get
pwdFailureTime to use microsecond granularity like entryCSN?
Thanks...