sql_response probe should not run profiles related to a connection with a login failure

Idea created by Garin on Dec 3, 2018
    • Daniel Blanco
    • Garin
    • GuanHua1378

    Consider the situation where you have one connection that's used by several profiles, say ten. 


    The issue is if, for instance, the DBA changes the password associated with the account the connection is using without updating the sql_response configuration, you start getting one login failure per profile. If you have many profiles, like ten in this case, and the account has a lockout specified on five failures, you immediately trip the account lockout.


    What I would like to see is the option on the connection configuration to specify a length of time to prevent execution of profiles that are dependant on a connection with a login failure. 


    WIth that, one could set this wait time to be longer than the "Reset account lockout counter after" policy setting and so prevent the sql_response probe from locking the account.


    Additionally it would be nifty if the probe itself could figure out from the account policy if it was safe to try the login attempt again without risking the attempt locking out the account.