Hello. I have a feature request for saslauthd. Would it be possible to include a cache of negative authentication attemps? Eventually with a timeout value different from successfull authentications. Use case. One central LDAP repository with users having a single user/password for many applications. Password potentially can be changed through more than one interface. One of the applications is email (cyrus-based ;-) ), that users access both via client/webmail and smartphone (either IMAP direct or through some sort of sync integrated with the webmail suite). For security reasons and law compliance, accounts have a lockout policy (after X failed attempts no further BINDs are successfull for an amount of time). In the typical situation the average user forgets to update the password on the smartphone, which in turn is set to check for updates every 10-15-30 minutes. While the user is away (lunch, commuting, meeting, weekend, ...) the smartphone keeps trying with the old password and the account gets locked for all applications authenticating on that LDAP base. LDAP implementations do not seem to allow a selective lockout, say, based on the uid+IP rather than just the userid. At least I couldn't find a reference on RHDS10 documentation. The way I phrased my request, a brute force attack will equally lockout the user since the login/password pair will be different at each attempt and therefore not hit the negative cache. But a brute force should be noticed and the user warned about it too. Therefore my feature request: keep a cache of failed attempts instead of passing them all downstream to the user database. Paolo
