On Tue, Jan 27, 2009 at 2:01 PM, Clowser, Jeff jeff_clowser@fanniemae.com wrote:
I will say that if such an enhancement *were* to be implemented, it would probably eliminate almost all our false positives and only lock out users for extreme cases and genuine attacks...
Yup, this is proving to be a pita for us. Folks login from multiple machines and get locked out when they forget to propagate their password changes to all those machines.
Also, I am not sure how this will be any greater security risk than the current system of storing a SSHA hash of the current password within LDAP? We could store similar hashes of all the passwords tried (upto pwdMaxFailure) and compare against that?
Short of actually coding this up myself, what can I do to move it along to at least a feature request that will be considered?
Thank you,
Aravind.