Aravind Gottipati wrote:
On Tue, Jan 27, 2009 at 2:01 PM, Clowser, Jeff jeff_clowser@fanniemae.com wrote:
I will say that if such an enhancement *were* to be implemented, it would probably eliminate almost all our false positives and only lock out users for extreme cases and genuine attacks...
Yup, this is proving to be a pita for us. Folks login from multiple machines and get locked out when they forget to propagate their password changes to all those machines.
Also, I am not sure how this will be any greater security risk than the current system of storing a SSHA hash of the current password within LDAP? We could store similar hashes of all the passwords tried (upto pwdMaxFailure) and compare against that?
I'm wondering if that's even necessary. According to your description so far, it would be sufficient to only store 1 failed password. If as you say, the same password is tried multiple times, then this should be good enough.
Short of actually coding this up myself, what can I do to move it along to at least a feature request that will be considered?
Feature requests are treated like anything else. http://www.openldap.org/its/
And again, the Project is run on a volunteer basis. If no one in the community is interested in writing code for this feature, it will be ignored.