[389-users] Bind to consumer binds to provider as well

Gerrard Geldenhuis Gerrard.Geldenhuis at betfair.com
Fri Nov 12 18:13:56 UTC 2010


> >>>
> >> Are you using Chain On Update for Binds?
> >> http://directory.fedoraproject.org/wiki/Howto:ChainOnUpdate
> >>
> >
> > We are indeed, we used that howto to set it up. Reading it now again it
> does say it will use the chaining backend for binds. Why is that?

Why is that? I don't know .
According the the wiki http://directory.fedoraproject.org/wiki/Howto:ChainOnUpdate
the consumer will use the chaining backend when I do bind/write requests. 

I can understand why you would want to "centrally" manage login attempts but would it not better to handle login attempts locally on the consumer and then only if a login attempts fail and you need to do a write then write to the master. I can imagine though that with this approach you can potentially have more auth attempts than is allowed for.

> In order to have global password policy.  Let's say for example that you have
> password policy which states accounts are locked out after 3 unsuccessful
> login attempts.  If you have 5 directory servers, each with local password
> policy, that effectively means an attacker has 15 tries to guess the password
> instead of 3.
> > If we replicate changes down to the consumer how can the data be
> "fresher" than the consumer?

My sentence was less than ideal. If changes get replicated down then I agree data everywhere should be equally fresh within the time constraints it takes to replicated fully everywhere.

Regards

________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from 
MessageLabs to scan all Incoming and Outgoing mail for viruses.

________________________________________________________________________



More information about the 389-users mailing list