Re: Password policy: possible DoS scenario

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Tuesday, 1 March 2011 07:23:41 Konstantin Boyandin wrote:
> Hello,
> 
> Thanks to everyone having answered me earlier, I've managed to set up
> password policy on the OpenLDAP provided in CentOS 5.5 repositories
> (current version 2.3.43).
> 
> The setup: we have password policy enabled for users accounts in our
> intranet. After 5 unsuccessful attempts the account is blocked for short
> duration (30 seconds).
> 
> Does that mean that anyone now can keep all the accounts blocked most of
> the time?

Well, you do the maths.

But, surely you have enough monitoring in place that you would be able to 
notice a high rate of unsuccessful binds, so that the duration of "most of the 
time" would not be very long.

> Am I right that if anyone enters someone else' incorrect
> password 5 times (in the given case), they will block the target account
> (regardless of what IP address the attacker was connecting from)?

Yes. But, where is the line between a DoS and an attempt to break into an 
account?

In either case, if this *is* only in your intranet, behaviour like this would 
surely violate your terms of use policy ...

> Narrower question: do password policy module developers plan to take
> into account what IPs are used to connect (thus, blocking only access
> from specific IPs)?

Maybe you should provide a specific use case, besides "my users violate my 
terms of use, and I can't do anything about it".

Regards,
Buchan