Ask Your Question

LamT's profile - activity

2016-05-04 12:19:32 -0600 received badge  Popular Question (source)
2016-03-28 23:49:42 -0600 asked a question Congress Policy for Keystone and LDAP

Currently, the cloud deployment uses an LDAP-based keystone service. The LDAP backend enforces a handful of security rule, one of which is to lock the account after X unsuccessful attempts. It is possible for someone who has access to the system to intentionally send auth request with valid user id but invalid password to cause LDAP to lock the user from the system. Effectively, this causes a denial-of-service attack.

A thought may be to rate-limit the API calls, but I was thinking perhaps a policy-based solution leveraging Congress may be more appropriate. I am curious if this would be a worthwhile approach to pursue or is this a fool's errand. Also, I want to see if there are other approaches [without making keystone state-ful.]