On 07/06/2015 01:30 PM, Michael Ströder wrote:
Consider that you are under on-going attack with many different accounts affected by the lockout treshold. Then you cannot simply wait for pwdFailureCountInterval seconds because your system is changing all the time.
Such a situation is a real world scenario.
Ok -- I'm probably not understanding enough about your particular scenario to fully appreciate the concerns that you express. But I think there could be ways to address them in this enhancement -- for instance, by adding optional parameter(s) like ppolicy_purge_failures <nfailures> and/or ppolicy_purge_olderthan <timestamp>, which could then be configured to accommodate the scenario you describe.
At this point, I'll think I'll leave it up to the OpenLDAP developers as to how they want to proceed on this, and/or to ask for more information.
Thanks for the discussion Michael.
Regards,
-Kartik