[dev] On authentication locking and bad login count Re: [commits] Horde branch master updated. 60616171e09cc24c63e899533e0280b7b1f4c064

Ralf Lang lang at b1-systems.de
Mon Aug 15 07:27:36 UTC 2011


Am Montag, 15. August 2011, 05:00:10 schrieben Sie:
> > account locking for Horde_Auth_Sql
> > 
> > -----------------------------------------------------------------------
> > 
> > commit 60616171e09cc24c63e899533e0280b7b1f4c064
> > Author: Ralf Lang <lang at b1-systems.de>
> > Date:   Fri Aug 12 14:37:29 2011 +0200
> > 
> >     [#10387] Draft implementation of bad login counting and account
> > 
> > locking for Horde_Auth_Sql
> > 
> >  framework/Auth/lib/Horde/Auth/Base.php |    2 +-
> >  framework/Auth/lib/Horde/Auth/Sql.php  |  169
> > 
> > ++++++++++++++++++++++++++++++-
> > 
> >  2 files changed, 164 insertions(+), 7 deletions(-)
> > 
> > http://git.horde.org/horde-git/-/commit/60616171e09cc24c63e899533e0280b7b
> > 1f4c064
> 
> We had something something similar for a while in the Kolab auth driver.
> 
> http://git.horde.org/co.php/framework/Auth/Auth/Attic/kolab.php?rt=horde&sa
> =1&ws=1&r=1.32
> 
> That one used the History system for the "bad login count" though.
> Wouldn't that be the better option? The "bad login count" could work
> for all drivers rather than just the SQL driver. And it could be used
> for a simple time-based lockout if an Auth driver does not support
> locking. If a driver supports locking the additional capability could
> be used.
> 

Great hint, thank you.
The history can gradually "forget" about single bad logins, which the auth_sql 
implementation can't.
I also thought about using horde_lock for generalizing the locking bit.

However I did not find a good solution:
* We do not use singletons anymore. The history and/or lock instance needs to 
be injected (which I think should not happen on library level) or passed. 
* I have some pending research if ldap/AD provide account locking schemes and 
if they are widely used. Specific drivers could override default locking 
scheme though

* I was not happy about adding more dependencies to Horde_Auth but passing 
them in the constuctor may be OK.

I see if I can put up something general which doesn't break existing stuff.

-- 
Ralf Lang
Linux Consultant / Developer
Tel.: +49-170-6381563
Mail: lang at b1-systems.de

B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537


More information about the dev mailing list