[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: [ldapext] Unfinished business: password policy and VLV
One other point that I almost forgot - the whole issue of intruder detection
is still rather fragile. E.g., if an attacker is running a stream of guesses
against a user while the real user logs in, then the successful login will
erase the current pwdFailureTime state and so allow the attacker a few more
chances unimpeded.
I suppose this is only a small problem in general. My first response to this
is that password failures should only be tracked ephemerally, within a
particular DSA. I would also say they should be tracked by client IP address,
but these days attacks by botnets makes the value of that approach less clear.
It's also less effective in an environment using a cluster of load balanced
DSAs. But I think it still makes more sense to track failures within a single
DSA than to deal with replication of that state.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www.ietf.org/mailman/listinfo/ldapext