Some parts of freeipa are meant to be used relatively sparsely, one for example is the custodia base secrets sharing mechanism.
Using mod_security to rate limit access to the custodia related URIs would add a barrier to bruteforce attemps of any kind.
The same could be done for the rest of IPA with more relaxed limits.
mod_evasive could be used as well.
Metadata Update from @simo: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
Login to comment on this ticket.