One thing to note is that N-strikes-you're-locked requires atomic LDAP modify operations. IIUC a proper LDAP multi-master system would need to implement a distributed locking or single master election, say, to get that right -- if not then N-strikes will not quite work as expected.
OTOH, I would not enable N-strikes-you're-locked. I'd rather force the user to change their passwords sooner when a password guessing attack is [heuristicalyl] detected than lock the user out (also known as a DoS). Nico -- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
