Control: tag -1 moreinfo

Hello Mats,

I finally looked more closely at this bug, and I believe the code is working as intended.

On Fri, Dec 08, 2017 at 08:39:32AM +0100, Mats Luspa wrote:
in the overlay ppolicy you can use pwdFailureCountInterval attribute. The 
documentation says "pwdFailureCountInterval attribute holds the number of 
seconds after which the password failures are purged from the failure counter, even 
though no successful authentication occurred.
If pwdFailureCountInterval attribute is not present, or if its value is 0, the 
failure counter is only reset by a successful authentication."

But that doesn't work.

The documentation doesn't talk about how many values of pwdFailureTime are actually present in the database, only how many are _counted_ when deciding whether to lock the account.

Given the following policy:

pwdFailureCountInterval: 10
pwdMaxFailure: 2
pwdLockout: TRUE

If I try an incorrect password two times within ten seconds, my account will be locked (permanently, since I did not specify a lock duration).

However, if I try an incorrect password one time, wait at least ten seconds, and then try it again, my account will not be locked, because the earlier failure is considered to have expired and is not counted. I have verified this in the jessie version of slapd.

In either case, it's intentional that pwdFailureTime is not physically deleted until the next successful authentication. It's possible the documentation is not clear enough on this point.

Please let me know if you agree with my analysis above.


Reply via email to