On Tuesday, 1 March 2011 07:23:41 Konstantin Boyandin wrote: > Hello, > > Thanks to everyone having answered me earlier, I've managed to set up > password policy on the OpenLDAP provided in CentOS 5.5 repositories > (current version 2.3.43). > > The setup: we have password policy enabled for users accounts in our > intranet. After 5 unsuccessful attempts the account is blocked for short > duration (30 seconds). > > Does that mean that anyone now can keep all the accounts blocked most of > the time?
Well, you do the maths. But, surely you have enough monitoring in place that you would be able to notice a high rate of unsuccessful binds, so that the duration of "most of the time" would not be very long. > Am I right that if anyone enters someone else' incorrect > password 5 times (in the given case), they will block the target account > (regardless of what IP address the attacker was connecting from)? Yes. But, where is the line between a DoS and an attempt to break into an account? In either case, if this *is* only in your intranet, behaviour like this would surely violate your terms of use policy ... > Narrower question: do password policy module developers plan to take > into account what IPs are used to connect (thus, blocking only access > from specific IPs)? Maybe you should provide a specific use case, besides "my users violate my terms of use, and I can't do anything about it". Regards, Buchan
