Chris Jacobs wrote:
>> First of all, password lockout itself is a dumb idea, and we only
>> implement it because it's part of the original ppolicy spec. The
>> ppolicy spec is pathetically bad though.
> What methods aren't dumb ideas that accomplish account unavailability on
N password failures?
Look at a later rev of the spec - use increasing delays. It's the standard
approach used by Unix for 40-some years.
Is that implementable in OpenLDAP or is this on a per client basis?
If client, for all practical purposes that's not exactly 'doable', forcing us
back to the auth source - OpenLDAP. Think of configuring pfSense, F5 BigIP, httpd, pam,
etc. Some certainly are configurable for that, but the how at first google search pass
seems to be wide and varied.
FWIW: I'd love to get out of the 'can you unlock my account' business, and
this to be implementable via OpenLDAP, although I kind of doubt it is; (it might
communicate the command to delay - clients would have to understand so back to client
ability dependency, or it might just delay a response to the client - which seems like a
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
This message is private and confidential. If you have received it in error, please notify
the sender and remove it from your system.