Howard Chu wrote: > Michael Ströder wrote: >> Paul B. Henson wrote: >>> On Fri, May 23, 2014 at 08:51:02PM -0700, Howard Chu wrote: >>> >>>> The *failure* occurred at that instant, not at the instant the request was >>>> received. It is simply a matter of correctness. >>> >>> For my purposes, it doesn't really matter whether the bind is considered >>> to have failed as of when it was attempted vs when all the processing >>> was completed, so if you prefer the latter I'll rework my patch to keep >>> those semanics. >>> >>>> You need to actually use microseconds, since the time-increment is >>>> only unique on the local server and will not guarantee uniqueness in a >>>> replication scenario. >>> >>> Ah, good point. >> >> But even with exact microseconds uniqueness cannot be guaranteed in a >> replication scenario. > > True, but collisions will be extremely rare, which cannot be said for using > the time-increment. > >> I also wonder what people who want to see pwdFailureTime replicated expect >> when bind requests are load-balanced to different replicas - not unusual. > > In the single-master case it's anybody's guess what anyone would expect. In a > multi-master case it's clear that the expectation is that all servers maintain > identical counts. > >> I don't think that you can meet the expectations of your IT sec folks >> regarding exact failure count. I suspect that people expect the failed logins to correctly sum up. This won't won't work reliably for an even not so high attack rate due to the replication latency. Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature