[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: 'Max login attempts' variable/config?



Quoting GOMBAS Gabor <gombasg@inf.elte.hu>:

> On Thu, Dec 14, 2000 at 09:56:23AM -0600, Randy Kunkee wrote:
> 
> > > I'd like to limit the number of tries a user can enter the wrong
> > > password in one go...
> 
> > Sounds like you'd like to have this policy in the server.

I'm well aware of this (see below)...

> It's not clear to me: you are using LDAP to authenticate UNIX accounts, or
> talking about authentication in the LDAP bind operation?

Both, that's the 'problem'...

login/ssh works as it should, it's a PAM/system thing. The problem comes if
someone tries to harvest the LDAP server for information. To do this one have
to authenticate to the LDAP _SERVER_, not to the system itself. This is because
I've put in a lot of ACL's that limit what one can read as anonymous...


Using the ldapsearch commands, it quite obviously don't work to set a policy
in the system. :)

> only the  slapd daemon  is in  the position to  check and  limit the
> number of allowed authentication failures,  it cannot be done at the
> client side (for obvious reasons).

Doh! :)

> slapd currently does not implement such limitations (at least I do not know
> about it).

That's what I wanted to know, thanx... It's a shame that it hasn't...

Global request: Does anyone have (or have heard of) a patch that makes
slapd drop/reject a authentication after X unsuccessful authentication attempts?

Would it be 'difficult' to implement this? I haven't had a look at the sources,
and I'm kind'a oversvamped with other works (as everybody else I guess :) so
can't do this myself...

> So if you allow just 'auth' access to the userPassword attribute
> from untrusted sources, you are in a big trouble, as dictionary attacks can
> be easily done without being noticed.

Unfortunately I don't know if I can live with this... I want clients/customers
to be able to search the database when they are out-of-office to...