[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#8185) Clarification/enhancement request: purging stale pwdFailureTime attributes
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#8185) Clarification/enhancement request: purging stale pwdFailureTime attributes
- From: hyc@symas.com
- Date: Fri, 14 Aug 2015 14:25:29 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
subbarao@computer.org wrote:
> On 07/06/2015 01:30 PM, Michael Ströder wrote:
>> Consider that you are under on-going attack with many different
>> accounts affected by the lockout treshold. Then you cannot simply wait
>> for pwdFailureCountInterval seconds because your system is changing
>> all the time.
>>
>> Such a situation is a real world scenario.
>
> Ok -- I'm probably not understanding enough about your particular
> scenario to fully appreciate the concerns that you express. But I think
> there could be ways to address them in this enhancement -- for instance,
> by adding optional parameter(s) like ppolicy_purge_failures <nfailures>
> and/or ppolicy_purge_olderthan <timestamp>, which could then be
> configured to accommodate the scenario you describe.
>
> At this point, I'll think I'll leave it up to the OpenLDAP developers as
> to how they want to proceed on this, and/or to ask for more information.
I've added a pwdMaxRecordedFailure attribute to the policy schema. Overloading
pwdMaxFailure would be a mistake.
MaxRecordedFailure will default to MaxFailure if that is set. It defaults to 5
if nothing is set. There's no good reason to allow the timestamps to
accumulate without bound.
This is now available for testing in git master.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/