[Freeipa-devel] global account lockout

Simo Sorce simo at redhat.com
Mon Apr 7 16:01:05 UTC 2014

On Mon, 2014-04-07 at 11:26 -0400, Rob Crittenden wrote:
> Ludwig Krispenz wrote:
> > Hi,
> >
> > please review the following feature design. It introduces a global
> > account lockout, while trying to keep the replication traffic minimal.
> > In my opinion for a real global account lockout the basic lockout
> > attributes have to be replicated otherwise the benefit is minimal: an
> > attacker could perform (maxFailedcount -1) login attempts on every
> > server before the global lockout is set. But the design page describes
> > how it could be done if it should be implemented - maybe the side effect
> > that accounts could the be unlocked on any replica has its own benefit.
> >
> > http://www.freeipa.org/page/V4/Replicated_lockout
> One weakness with this is there is still a window for extra password 
> attempts if one is clever, (m * (f-1))+1 to be exact, where m is the 
> number of masters and f is the # of allowed failed logins.

Yes, but that is a problem that cannot be solved w/o full replication at
every authentication attempt.

What we tried to achieve is a middle ground to at least ease
administration and still lock em up "earlier".


Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list