By: Jake Barwell user 18 Feb 2016 at 4:14 a.m. CST

3 Responses
Jake Barwell gravatar
Unless I am missing something it does not look like there is any prevention of brute forcing user passwords built in to gluu. Is this something you solve in a particular way? My preference would be to require a captcha after n login attempts against a particular user.

By Aliaksandr Samuseu staff 18 Feb 2016 at 9:41 a.m. CST

Aliaksandr Samuseu gravatar
Hi, Jake. I think it's because Gluu itself is rarely being used as authenticator, most of the times it relies on some backend for that, which is already should have such protection as usually it belongs to pre-existing infrastracture (for example, AD's LDAP Provider has this feature) But if you really need to use Gluu's internal LDAP directory for authentication, you can enable account lockout in OpenDJ: []( Regards, Alex.

By Yuriy Movchan staff 18 Feb 2016 at 10:44 a.m. CST

Yuriy Movchan gravatar
Hi, Jake. oxAuth allows to write user authentication plugins. This helps to implement any authentication scenario to conform requirements without application update.

By Michael Schwartz Account Admin 18 Feb 2016 at 11:39 a.m. CST

Michael Schwartz gravatar
Yuriy is quite correct. You can use a number of different fraud detection strategies by writing a custom authentication script. I am closing this issue.