Emmanuel Dreyfus wrote:
We ran into the following problem: someone changes its password, but
has a few devices with the old password recorderd. Before the user
has time to update stored passwords, an buggy-client hammers servers
with requests using the old password, and get the account locked by
Perhaps there could be a setting in pwdPolicy or in slapd.conf
so that there is a grace time after a password reset? For instance,
the admin could configure that slapo-ppolicy should not lock a user
if password has been changed less than X seconds ago.
First of all, password lockout itself is a dumb idea, and we only implement it
because it's part of the original ppolicy spec. The ppolicy spec is
pathetically bad though.
As for a grace time - that sounds like a terrible idea too, since sometimes
passwords are changed with some urgency, specifically because of the imminent
danger of an attack/fraudulent use.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/