[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: 'Max login attempts' variable/config?
Quoting GOMBAS Gabor <gombasg@inf.elte.hu>:
> On Thu, Dec 14, 2000 at 09:56:23AM -0600, Randy Kunkee wrote:
>
> > > I'd like to limit the number of tries a user can enter the wrong
> > > password in one go...
>
> > Sounds like you'd like to have this policy in the server.
I'm well aware of this (see below)...
> It's not clear to me: you are using LDAP to authenticate UNIX accounts, or
> talking about authentication in the LDAP bind operation?
Both, that's the 'problem'...
login/ssh works as it should, it's a PAM/system thing. The problem comes if
someone tries to harvest the LDAP server for information. To do this one have
to authenticate to the LDAP _SERVER_, not to the system itself. This is because
I've put in a lot of ACL's that limit what one can read as anonymous...
Using the ldapsearch commands, it quite obviously don't work to set a policy
in the system. :)
> only the slapd daemon is in the position to check and limit the
> number of allowed authentication failures, it cannot be done at the
> client side (for obvious reasons).
Doh! :)
> slapd currently does not implement such limitations (at least I do not know
> about it).
That's what I wanted to know, thanx... It's a shame that it hasn't...
Global request: Does anyone have (or have heard of) a patch that makes
slapd drop/reject a authentication after X unsuccessful authentication attempts?
Would it be 'difficult' to implement this? I haven't had a look at the sources,
and I'm kind'a oversvamped with other works (as everybody else I guess :) so
can't do this myself...
> So if you allow just 'auth' access to the userPassword attribute
> from untrusted sources, you are in a big trouble, as dictionary attacks can
> be easily done without being noticed.
Unfortunately I don't know if I can live with this... I want clients/customers
to be able to search the database when they are out-of-office to...