Hello
We ran into the following problem: someone changes its password, but has a few devices with the old password recorderd. Before the user has time to update stored passwords, an buggy-client hammers servers with requests using the old password, and get the account locked by slapo-ppolicy.
Perhaps there could be a setting in pwdPolicy or in slapd.conf so that there is a grace time after a password reset? For instance, the admin could configure that slapo-ppolicy should not lock a user if password has been changed less than X seconds ago.
Opinions?
Emmanuel Dreyfus wrote:
Hello
We ran into the following problem: someone changes its password, but has a few devices with the old password recorderd. Before the user has time to update stored passwords, an buggy-client hammers servers with requests using the old password, and get the account locked by slapo-ppolicy.
Perhaps there could be a setting in pwdPolicy or in slapd.conf so that there is a grace time after a password reset? For instance, the admin could configure that slapo-ppolicy should not lock a user if password has been changed less than X seconds ago.
Opinions?
Opinions:
First of all, password lockout itself is a dumb idea, and we only implement it because it's part of the original ppolicy spec. The ppolicy spec is pathetically bad though.
As for a grace time - that sounds like a terrible idea too, since sometimes passwords are changed with some urgency, specifically because of the imminent danger of an attack/fraudulent use.
openldap-technical@openldap.org