account lockout with ldap backend

Paul B. Henson henson at
Sat Nov 16 15:26:55 EST 2013

According to:

The account lockout state of a principal is not replicated between KDCs,
and an attacker could hit each kdc separately to get four times the
failurecount attempts.

I know this is the case with the native db backend/replication, however
we are using the ldap backend on top of openldap set up in a
multi-master configuration using ldap replication rather than kerberos.
I thought this *would* replicate failures, so that across all the kdc's
an attacker would only get a total of failurecount attempts but haven't
been able to find a definitive source confirming it.

Could somebody please verify whether failures are replicated when using
the ldap backend? If so, it would be nice if the documentation were
updated to reflect that.

Thanks much...

More information about the Kerberos mailing list