[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: search right and attribute existence

To: michael@stroeder.com (Michael Ströder), openldap-technical@openldap.org
Subject: Re: search right and attribute existence
From: manu@netbsd.org (Emmanuel Dreyfus)
Date: Mon, 22 Aug 2016 05:29:20 +0200
In-reply-to: <429832164de5a2eab30bae97a56fd5a2@localhost>
User-agent: MacSOUP/2.7 (unregistered for 3502 days)

Michael Ströder <michael@stroeder.com> wrote:

> To deal with brute-force attempts you have to establish central
> logging with appropriate log watchers which alarm you in case
> of a brute-force attack.

What about this line of defense?

overlay                 rwm
rwm-rewriteEngine       on
rwm-rewriteContext      searchFilter
rwm-rewriteRule  "(.*\\()?secret=[^\\)]*(\\).*)?" "$1secret=*$2"

This turns any search filter against the secret attribute into * in
order to thwart brute force attempt. Used with a search level ACL, this
will cause the server will only reveal if the attribute is present or
not. 

I gave it a try and it seems to work. Any comment?

An improvement would be to exempt some users (a group) from this rule.
Any idea how I can do that?

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@netbsd.org

References:
- Re: search right and attribute existence
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: RE: Should I use OpenLDAP or PostgreSQL for this?
Next by Date: Using LMDB safely with fork() and exec()
Index(es):
- Chronological
- Thread