Re: Server side delay for bad passwords?

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Friday 08 February 2008 08:11:58 Tony Earnshaw wrote:
> Dan White skrev, on 07-02-2008 18:42:
>
> [...]
>
> > I understand that I could implement the password policy overlay to
> > temporarily lockout an account once it's reached a certain number of bad
> > password attempts, but I believe that only applies to simple (-x) binds.
> > Is that correct?
>
> My site's running ppolicy on 2.3 on Linux for gdm logins with great
> success; however, my understanding is, that it only cares about
> pam/pam_exop calls (presumably also similar from dedicated client or
> proxy software).

exop only affects how passwords are changed, not what the client sends on a 
simple bind request.

> Looking at the relevant operational attributes in gq, 
> one can see that each failed login is recorded tn the pwdFailureTime
> attribute. Doing a repeated ldapsearch -x on an account with an invalid
> password doesn't make the blindest bit of difference to this attribute
> and multiple failed attempts are allowed.

Uh, when binding as the DN in question, or not (your ldapsearch -x is 
ambiguous)?

In the testing I did a while back (where I used ldapwhoami), simple binds with 
and without the ppolicy control both resulted in lockout (but the one with 
the control would warn about impending expiry when testing expiry). In fact, 
I broke replication on one of the dev slaves that was using a simple bind in 
the syncrepl configuration.

Regards,
Buchan