We're testing the ppolicy module for the purposes of enabling account lockout on our ldap infrastructure. During initial testing, I noticed that it didn't seem to be catching all of the failed logins, and then realized that the pwdFailureTime attribute in which they are stored seems to have a granularity of only 1 second?
So, if there are 100 failed logins in 1 second, for the purposes of account lockout, the password policy module only records them all as 1 failed login? Such that if you had a pwdMaxFailure set to 100, an intruder would actually be able to get in 10000 password guess attempts before the account was actually locked out?
Am I misunderstanding something here? Is there anyway to get pwdFailureTime to use microsecond granularity like entryCSN?
Thanks...
Paul B. Henson wrote:
We're testing the ppolicy module for the purposes of enabling account lockout on our ldap infrastructure. During initial testing, I noticed that it didn't seem to be catching all of the failed logins, and then realized that the pwdFailureTime attribute in which they are stored seems to have a granularity of only 1 second?
Yes, there's already an ITS present for that:
http://www.openldap.org/its/index.cgi?findid=7161
Ciao, Michael.
From: Michael Ströder Sent: Sunday, April 27, 2014 11:22 PM
Yes, there's already an ITS present for that:
Hmm, I see that was opened over two years ago and as of yet still has no response :(.
It would appear the generalized time syntax the attribute is defined as supports fractional seconds, and in the draft RFC I don't see any specific requirement that the timestamp be at a per second granularity as opposed to hundreds of a second or thousands of a second. I will need to go review the actual code to see if this is something more complicated than it would initially appear, but I think at this point I'm going to try to fix this myself. Hopefully such an enhancement would be accepted into the official version.
Thanks
openldap-technical@openldap.org
-
Michael Ströder -
Paul B. Henson