Some parts of freeipa are meant to be used relatively sparsely, one for example is the custodia base secrets sharing mechanism.
Using mod_security to rate limit access to the custodia related URIs would add a barrier to bruteforce attemps of any kind.
The same could be done for the rest of IPA with more relaxed limits.
mod_evasive could be used as well.
Metadata Update from @simo:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog
to comment on this ticket.