implementing password lockout
simo.sorce at xsec.it
Mon Jan 26 14:42:05 GMT 2004
On Mon, 2004-01-26 at 15:22, Jim McDonough wrote:
> Simo, thanks for clarifying that...but I still have a few issues to clear
> up, since we don't (yet) have real windows replication:
> When the bad password count isn't replicated, if we're using LDAP
> replication, we're going to replicate it, so we'll have to store a time for
> the last bad password, no? We can't choose to selectively replicate
> attributes sometimes, but not others. This is what Jianliang has in his
> patch, and it makes sense to me.
> I still think we need a local version, though, because if we don't, then if
> the PDC is down what happens when a user enters a bad password? A correct
> password should be OK, but a bad password attempt...?
I fully agree, as I said, we need a special case for ldap since it does
replicate beyond our control, the ldap passdb could be told to not store
the bad password count on ldap but keep it somewhere e save it down only
when it reaches the max count.
Simo Sorce - simo.sorce at xsec.it
Xsec s.r.l. - http://www.xsec.it
via Garofalo, 39 - 20133 - Milano
mobile: +39 329 328 7702
tel. +39 02 2953 4143 - fax: +39 02 700 442 399
More information about the samba-technical