Hello David
thanks for reply. this script can be useful, but it does not improve
this situation anyhow. for each failed bind attempt new value for
pwdFailureTime attribute will be created anyway which result in same
modification operation with utilizing transaction log.
that script is helpful to reduce overall number of values of
pwdFailureTime attribute which are already in LDAP DB.
this could be helpful as well: configuration variable which defines
maximum values for pwdFailureTime. and in case that number of actual
values reached max value, do not update that attribute anymore. Yes,
this will store NUM oldest failed attempts, but ensure that
pwdFailureTime will not be updated forever. but this seems to be request
for ppolicy overlay code update rather than any external script.
thanks
michal
On 2016-02-22 3:38, David Magda wrote:
On Feb 21, 2016, at 11:48, Howard Chu <[email protected]> wrote:
Bruncko Michal wrote:
Hello list
We use ppolicy overlay for enforcing password lifecycle. Recently we
faced
with following issue and now I am trying to do some countermeasures
to
minimize risk of issue reoccurring.
[…]
now the question: did anybody considered this "effect" of using
"pwdFailureTime" attribute? If so, what can I do to avoid this
behavior to
occur? Or how you are facing with this potential kind of issues? On
one side
it is fine to see some failure attempt history. Also keeping
pwdFailureTime
limited to some max number of values will not help as the LDAP modify
operation have to be done anyway. For me the only useful possibility
is to NOT
use this attribute pwdFailureTime at all, but how to do it? I haven't
found
any possibility to disable using this attribute.
This is ITS#8327. The fix is released in 2.4.44.
You should upgrade.
You should not be using any BerkeleyDB-based backends, use back-mdb
which does not need transaction log files.
If you cannot upgrade for some reason, someone wrote a Perl script
that deletes ‘excessive' pwdFailureTime attributes:
http://www.openldap.org/lists/openldap-bugs/201507/msg00012.html
