Re: Server side delay for bad passwords?

[Howard Chu <hyc@symas.com>]

Pierangelo Masarati wrote:
> Given the current implementation, the delay will keep a thread busy for
> its duration.  Your server, under attack, would quickly become
> unresponsive for any user.  Probably, your case should be handled
> separately, e.g. by writing an overlay that registers a delay for a
> given connection and quicly releases the operation, and a background
> thread that wakes up when it's time to return errors after the delay.
> Nothing dramatic, but definitely needs some development.

A bit trickier than that; it should not immediately release the operation 
either. Otherwise you can build up quite a long queue of pending Bind 
responses if they submit multiple Bind requests blindly. I.e., you also need 
to prevent the connection from accepting more operations while a delay is in 
effect.
--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/