Congress Policy for Keystone and LDAP

asked 2016-03-28 15:34:27 -0500

LamT gravatar image

Currently, the cloud deployment uses an LDAP-based keystone service. The LDAP backend enforces a handful of security rule, one of which is to lock the account after X unsuccessful attempts. It is possible for someone who has access to the system to intentionally send auth request with valid user id but invalid password to cause LDAP to lock the user from the system. Effectively, this causes a denial-of-service attack.

A thought may be to rate-limit the API calls, but I was thinking perhaps a policy-based solution leveraging Congress may be more appropriate. I am curious if this would be a worthwhile approach to pursue or is this a fool's errand. Also, I want to see if there are other approaches [without making keystone state-ful.]

edit retag flag offensive close merge delete