[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Server side delay for bad passwords?

To: openldap-software@openldap.org
Subject: Re: Server side delay for bad passwords?
From: Tony Earnshaw <tonni@hetnet.nl>
Date: Fri, 08 Feb 2008 07:11:58 +0100
In-reply-to: <47AB42FD.9070305@olp.net>
References: <47AB42FD.9070305@olp.net>
User-agent: Thunderbird 2.0.0.9 (X11/20071031)

Dan White skrev, on 07-02-2008 18:42:

[...]

I understand that I could implement the password policy overlay to temporarily lockout an account once it's reached a certain number of bad password attempts, but I believe that only applies to simple (-x) binds. Is that correct?

My site's running ppolicy on 2.3 on Linux for gdm logins with great success; however, my understanding is, that it only cares about pam/pam_exop calls (presumably also similar from dedicated client or proxy software). Looking at the relevant operational attributes in gq, one can see that each failed login is recorded tn the pwdFailureTime attribute. Doing a repeated ldapsearch -x on an account with an invalid password doesn't make the blindest bit of difference to this attribute and multiple failed attempts are allowed.

I've also wanted what you want but refuse to publish site email addresses on the Internet to all and sundry. At the moment authorized users can obtain site-specific info by logging into webmail, which uses LDAP internally.

Best,

--Tonni

--
Tony Earnshaw
Email: tonni at hetnet dot nl

Follow-Ups:
- Re: Server side delay for bad passwords?
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>

References:
- Server side delay for bad passwords?
  - From: Dan White <dwhite@olp.net>

Prev by Date: Re: Server side delay for bad passwords?
Next by Date: Re: Caching queries
Index(es):
- Chronological
- Thread