[Freeipa-devel] global account lockout

Ludwig Krispenz lkrispen at redhat.com
Mon Apr 7 09:35:05 UTC 2014


please review the following feature design. It introduces a global 
account lockout, while trying to keep the replication traffic minimal. 
In my opinion for a real global account lockout the basic lockout 
attributes have to be replicated otherwise the benefit is minimal: an 
attacker could perform (maxFailedcount -1) login attempts on every 
server before the global lockout is set. But the design page describes 
how it could be done if it should be implemented - maybe the side effect 
that accounts could the be unlocked on any replica has its own benefit.


More information about the Freeipa-devel mailing list