[389-users] Bind to consumer binds to provider as well
Gerrard Geldenhuis
Gerrard.Geldenhuis at betfair.com
Fri Nov 12 18:13:56 UTC 2010
> >>>
> >> Are you using Chain On Update for Binds?
> >> http://directory.fedoraproject.org/wiki/Howto:ChainOnUpdate
> >>
> >
> > We are indeed, we used that howto to set it up. Reading it now again it
> does say it will use the chaining backend for binds. Why is that?
Why is that? I don't know .
According the the wiki http://directory.fedoraproject.org/wiki/Howto:ChainOnUpdate
the consumer will use the chaining backend when I do bind/write requests.
I can understand why you would want to "centrally" manage login attempts but would it not better to handle login attempts locally on the consumer and then only if a login attempts fail and you need to do a write then write to the master. I can imagine though that with this approach you can potentially have more auth attempts than is allowed for.
> In order to have global password policy. Let's say for example that you have
> password policy which states accounts are locked out after 3 unsuccessful
> login attempts. If you have 5 directory servers, each with local password
> policy, that effectively means an attacker has 15 tries to guess the password
> instead of 3.
> > If we replicate changes down to the consumer how can the data be
> "fresher" than the consumer?
My sentence was less than ideal. If changes get replicated down then I agree data everywhere should be equally fresh within the time constraints it takes to replicated fully everywhere.
Regards
________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________
More information about the 389-users
mailing list