[Date Prev][Date Next] [Chronological] [Thread] [Top]

Server side delay for bad passwords?

To: openldap-software@openldap.org
Subject: Server side delay for bad passwords?
From: Dan White <dwhite@olp.net>
Date: Thu, 07 Feb 2008 11:42:21 -0600
User-agent: Mozilla-Thunderbird 2.0.0.6 (X11/20071008)

I'm planning on allowing public access to my OpenLDAP server for address book access. I'm only planning to allow authenticated access, both via simple binds and SASL binds, not anonymously.

Is there an approach to preventing a brute force attack at guessing an entry's password? I've noticed that with my configuration, when performing an ldapwhoami or ldapsearch, and when submitting an incorrect password, I receive an immediate response that the password is bad, rather than a delay which I would like to have.

I'm using version 2.3.39.

In other words, this is what I get today:

~# time ldapsearch -Y DIGEST-MD5 -U abrown@olp.net -w badpassword SASL/DIGEST-MD5 authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): authentication failure: client response doesn't match what we generated

real    0m0.015s
user    0m0.012s
sys     0m0.004s

But I'd like to enforce a server side delay of, for example, 5 seconds.

I understand that I could implement the password policy overlay to temporarily lockout an account once it's reached a certain number of bad password attempts, but I believe that only applies to simple (-x) binds. Is that correct?

Thanks,
- Dan White

Follow-Ups:
- Re: Server side delay for bad passwords?
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: Server side delay for bad passwords?
  - From: Tony Earnshaw <tonni@hetnet.nl>

Prev by Date: LDAP Server bug?
Next by Date: Re: LDAP Server bug?
Index(es):
- Chronological
- Thread