By: Jake Barwell user 18 Feb 2016 at 4:14 a.m. CST

3 Responses

Unless I am missing something it does not look like there is any prevention of brute forcing user passwords built in to gluu. Is this something you solve in a particular way? My preference would be to require a captcha after n login attempts against a particular user.

None

closed

By Aliaksandr Samuseu staff 18 Feb 2016 at 9:41 a.m. CST

Copy

Hi, Jake. I think it's because Gluu itself is rarely being used as authenticator, most of the times it relies on some backend for that, which is already should have such protection as usually it belongs to pre-existing infrastracture (for example, AD's LDAP Provider has this feature) But if you really need to use Gluu's internal LDAP directory for authentication, you can enable account lockout in OpenDJ: [http://opendj.forgerock.org/doc/admin-guide/index/chap-account-lockout.html](http://opendj.forgerock.org/doc/admin-guide/index/chap-account-lockout.html) Regards, Alex.

By Yuriy Movchan staff 18 Feb 2016 at 10:44 a.m. CST

Copy

Hi, Jake. oxAuth allows to write user authentication plugins. This helps to implement any authentication scenario to conform requirements without application update.

By Michael Schwartz Account Admin 18 Feb 2016 at 11:39 a.m. CST

Copy

Yuriy is quite correct. You can use a number of different fraud detection strategies by writing a custom authentication script. I am closing this issue.

You need to Login in order to post an answer

Automated Brute force mitigation

By: Jake Barwell user 18 Feb 2016 at 4:14 a.m. CST

Answers

By Aliaksandr Samuseu staff 18 Feb 2016 at 9:41 a.m. CST

By Yuriy Movchan staff 18 Feb 2016 at 10:44 a.m. CST

By Michael Schwartz Account Admin 18 Feb 2016 at 11:39 a.m. CST

Post an answer