From subbarao@computer.org Mon Jul  6 16:56:48 2015
From: subbarao@computer.org
To: openldap-bugs@openldap.org
Subject: Re: (ITS#8185) Clarification/enhancement request: purging stale
 pwdFailureTime attributes
Date: Mon, 06 Jul 2015 16:56:47 +0000
Message-ID: <E1ZC9hH-000127-Aq@gauss.openldap.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4350557203312137325=="

--===============4350557203312137325==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

This is a multi-part message in MIME format.
--------------000605000401060905080908
Content-Type: text/plain; charset=3Dutf-8; format=3Dflowed
Content-Transfer-Encoding: 8bit

On 07/06/2015 12:25 PM, Michael Str=C3=B6der wrote:
> Hmm, still have some doubts: If you want to raise the failure count limit
> later you would automatically unlock some accounts you don't want to unlock=
 at this particular point in time.

Two thoughts on this:

1) If you raise the failure count limit, aren't you inherently making a=20
decision to be more lenient in your policy, and thereby accepting that=20
some accounts are not going to be locked out as fast as they might be=20
under the previous policy? It seems to me that any "inadvertent"=20
unlocking due to purged pwdFailureTime values could be embraced under=20
this general umbrella of leniency.

2) If pwdFailureCountInterval is set to some reasonably low number, then=20
this whole concern becomes moot: Just wait for pwdFailureCountInterval=20
seconds after you decide to change the configuration, before actually=20
changing the configuration :-)

I guess I haven't come across many sites that set pwdMaxFailure, but=20
/don't/ also set pwdFailureCountInterval. But even in those cases, I=20
think #1 would be valid :-)

Regards,

     -Kartik

--------------000605000401060905080908
Content-Type: text/html; charset=3Dutf-8
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta content=3D"text/html; charset=3Dutf-8" http-equiv=3D"Content-Type">
  </head>
  <body bgcolor=3D"#FFFFFF" text=3D"#000000">
    <div class=3D"moz-cite-prefix">On 07/06/2015 12:25 PM, Michael Str=C3=B6d=
er
      wrote:<br>
    </div>
    <blockquote cite=3D"mid:559AABDC.8060706(a)stroeder.com" type=3D"cite">
      <pre wrap=3D"">
Hmm, still have some doubts: If you want to raise the failure count limit
later you would automatically unlock some accounts you don't want to unlock a=
t this particular point in time.
</pre>
    </blockquote>
    <br>
    Two thoughts on this:<br>
    <br>
    1) If you raise the failure count limit, aren't you inherently
    making a decision to be more lenient in your policy, and thereby
    accepting that some accounts are not going to be locked out as fast
    as they might be under the previous policy? It seems to me that any
    "inadvertent" unlocking due to purged pwdFailureTime values could be
    embraced under this general umbrella of leniency.<br>
    <br>
    2) If pwdFailureCountInterval is set to some reasonably low number,
    then this whole concern becomes moot: Just wait for
    pwdFailureCountInterval seconds after you decide to change the
    configuration, before actually changing the configuration :-)<br>
    <br>
    I guess I haven't come across many sites that set pwdMaxFailure, but
    <i>don't</i> also set pwdFailureCountInterval. But even in those
    cases, I think #1 would be valid :-)<br>
    <br>
    Regards,<br>
    <br>
    =C2=A0=C2=A0=C2=A0 -Kartik<br>
  </body>
</html>

--------------000605000401060905080908--




--===============4350557203312137325==--