Multiple KDCs with OpenLDAP

Nico Williams nico at cryptonector.com
Thu May 24 14:35:27 EDT 2012


One thing to note is that N-strikes-you're-locked requires atomic LDAP
modify operations.  IIUC a proper LDAP multi-master system would
need to implement a distributed locking or single master election, say,
to get that right -- if not then N-strikes will not quite work as expected.

OTOH, I would not enable N-strikes-you're-locked.  I'd rather force
the user to change their passwords sooner when a password guessing
attack is [heuristicalyl] detected than lock the user out (also known
as a DoS).

Nico
--


More information about the Kerberos mailing list