Lockout

[Luke Howard]

Right, I did look at this; however, for now I chose the path that was  
the least intrusive to the existing kadm5 information model.

I did this on the presumption that eventually we will want to  
harmonise the KDB LDAP backend with the password policy draft, and  
that this will be best done in one fell swoop rather than piecemeal.  
(Now, doing that is out of scope for this project.)

-- Luke

On 15/09/2009, at 11:24 PM, Zhanna Tsitkova wrote:

> Something in lines of "Password Policy for LDAP Directories" draft?
> http://www.ietf.org/id/draft-behera-ldap-password-policy-10.txt
>
> Zhanna
> ________________________________________
> From: krbdev-bounces at MIT.EDU [krbdev-bounces at MIT.EDU] On Behalf Of  
> Simo Sorce [ssorce at redhat.com]
> Sent: Tuesday, September 15, 2009 4:49 PM
> To: Luke Howard
> Cc: MIT Kerberos Dev List
> Subject: Re: Lockout
>
> On Tue, 2009-09-15 at 20:56 +0200, Luke Howard wrote:
>> For review:
>>
>>      http://k5wiki.kerberos.org/wiki/Projects/Lockout
>>
>> Note: code is not well tested (in case of LDAP, untested).
>
> I think there is some discussion about lockout policies (probably in  
> the
> password policy discussion) for LDAP in the ldap workgroup.
>
> Instead of having only the last failed and a count of failed
> authentication attempts it would be probably better to have a list of
> authentication failures/success with a timestamp.
> This would be not only multimaster friendly (when using LDAP as a
> backend) but would allow for better reporting if needed.
>
> It also allows to change policies on the fly because you have all the
> data available to recalculate the status an account "should" be.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>

--
www.padl.com | www.fghr.net