jspωiki
LDAP and Bind Throttling

Overview#

LDAP and Bind Throttling although Server-Side Login throttling schemes are a best practice, LDAP Server Implementations should have the ability to not implement Bind Request delays.

A while back Ldapwiki was working with a client where a Identity Broker product would issue a Bind Request and then waited for a Bind Response before it would issue a the next Bind Request. When a Bind Response was a failure, then the Bind Request was repeated until the Identity Broker product's own Server-Side Login throttling scheme failed.
This implied that if the failure on delay the LDAP server was 3 seconds and the Server-Side Login throttling scheme was 5 attempts, (3x5)=15 seconds of delay were introduced by the LDAP server.

In general, LDAP specific servers should not use Server-Side Login throttling scheme.

When using Microsoft Active Directory or any other server where LDAP is used as a Authentication and it also provides direct access to Protected Resources, then you have a quandry.

More Information#

There might be more information for this subject on one of the following: