Shibboleth Developers

["Dergenski, Todd A." <>]

Yes, we use the LDAP to enforce 3 attempts with a lock out for 1 minute.  We 
have a modified Login module that looks for the lockout flag and notifies the 
user that it is in place.  

Our lockout policy is a tarpit style lockout.  It is not intended to keep the 
correct person out, but to slow down someone trying to break in.

Todd Dergenski
Old Dominion University
Senior Security Administrator
4700 Elkhorn Ave - Room 4300
Norfolk, Va, 23529 USA

(757) 683-4301


-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Christopher Bongaarts
Sent: Wednesday, March 23, 2011 1:11 PM
To: 

Subject: [Shib-Dev] Account lockout

Has anyone implemented an "attack lock" (X failed password attempts 
without a success in Y minutes locks out further attempts for Z minutes) 
for the IdP?

If not, would the StorageService be a good place to keep the necessary 
state?
-- 
%%  Christopher A. Bongaarts   %%  

          %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%