[email protected] wrote: > On 07/06/2015 01:30 PM, Michael Ströder wrote: >> Consider that you are under on-going attack with many different >> accounts affected by the lockout treshold. Then you cannot simply wait >> for pwdFailureCountInterval seconds because your system is changing >> all the time. >> >> Such a situation is a real world scenario. > > Ok -- I'm probably not understanding enough about your particular > scenario to fully appreciate the concerns that you express. But I think > there could be ways to address them in this enhancement -- for instance, > by adding optional parameter(s) like ppolicy_purge_failures <nfailures> > and/or ppolicy_purge_olderthan <timestamp>, which could then be > configured to accommodate the scenario you describe. > > At this point, I'll think I'll leave it up to the OpenLDAP developers as > to how they want to proceed on this, and/or to ask for more information.
I've added a pwdMaxRecordedFailure attribute to the policy schema. Overloading pwdMaxFailure would be a mistake. MaxRecordedFailure will default to MaxFailure if that is set. It defaults to 5 if nothing is set. There's no good reason to allow the timestamps to accumulate without bound. This is now available for testing in git master. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
