Simo Sorce ssorce at redhat.com
Tue Sep 15 16:49:51 EDT 2009

On Tue, 2009-09-15 at 20:56 +0200, Luke Howard wrote:
> For review:
> 	http://k5wiki.kerberos.org/wiki/Projects/Lockout
> Note: code is not well tested (in case of LDAP, untested).

I think there is some discussion about lockout policies (probably in the
password policy discussion) for LDAP in the ldap workgroup.

Instead of having only the last failed and a count of failed
authentication attempts it would be probably better to have a list of
authentication failures/success with a timestamp.
This would be not only multimaster friendly (when using LDAP as a
backend) but would allow for better reporting if needed.

It also allows to change policies on the fly because you have all the
data available to recalculate the status an account "should" be.


Simo Sorce * Red Hat, Inc * New York

More information about the krbdev mailing list