Multiple KDCs with OpenLDAP
Nico Williams
nico at cryptonector.com
Thu May 24 14:35:27 EDT 2012
One thing to note is that N-strikes-you're-locked requires atomic LDAP
modify operations. IIUC a proper LDAP multi-master system would
need to implement a distributed locking or single master election, say,
to get that right -- if not then N-strikes will not quite work as expected.
OTOH, I would not enable N-strikes-you're-locked. I'd rather force
the user to change their passwords sooner when a password guessing
attack is [heuristicalyl] detected than lock the user out (also known
as a DoS).
Nico
--
More information about the Kerberos
mailing list