[Date Prev][Date Next] [Chronological] [Thread] [Top]

ppolicy module limited to catching 1 login failure per second?

We're testing the ppolicy module for the purposes of enabling account
lockout on our ldap infrastructure. During initial testing, I noticed
that it didn't seem to be catching all of the failed logins, and then
realized that the pwdFailureTime attribute in which they are stored
seems to have a granularity of only 1 second?

So, if there are 100 failed logins in 1 second, for the purposes of
account lockout, the password policy module only records them all as 1
failed login? Such that if you had a pwdMaxFailure set to 100, an
intruder would actually be able to get in 10000 password guess attempts
before the account was actually locked out?

Am I misunderstanding something here? Is there anyway to get
pwdFailureTime to use microsecond granularity like entryCSN?