Zhanna Tsitkova tsitkova at MIT.EDU
Tue Sep 15 17:24:38 EDT 2009

Something in lines of "Password Policy for LDAP Directories" draft?

From: krbdev-bounces at MIT.EDU [krbdev-bounces at MIT.EDU] On Behalf Of Simo Sorce [ssorce at redhat.com]
Sent: Tuesday, September 15, 2009 4:49 PM
To: Luke Howard
Cc: MIT Kerberos Dev List
Subject: Re: Lockout

On Tue, 2009-09-15 at 20:56 +0200, Luke Howard wrote:
> For review:
>       http://k5wiki.kerberos.org/wiki/Projects/Lockout
> Note: code is not well tested (in case of LDAP, untested).

I think there is some discussion about lockout policies (probably in the
password policy discussion) for LDAP in the ldap workgroup.

Instead of having only the last failed and a count of failed
authentication attempts it would be probably better to have a list of
authentication failures/success with a timestamp.
This would be not only multimaster friendly (when using LDAP as a
backend) but would allow for better reporting if needed.

It also allows to change policies on the fly because you have all the
data available to recalculate the status an account "should" be.


Simo Sorce * Red Hat, Inc * New York

krbdev mailing list             krbdev at mit.edu

More information about the krbdev mailing list