[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6249) Feature request: Password Modify ext. op. and anonymous LDAP connection

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6249) Feature request: Password Modify ext. op. and anonymous LDAP connection
From: hyc@symas.com
Date: Tue, 11 Aug 2009 20:05:40 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Michael Ströder wrote:
> hyc@symas.com wrote:
>> michael@stroeder.com wrote:
>>> Full_Name: Michael Ströder
>>> Version: HEAD
>>> OS:
>>> URL:
>>> Submission from: (NULL) (84.163.50.194)
>>>
>>> I'd like to request that a Password Modify ext. op. request should succeed on a
>>> LDAP connection as anonymous if the LDAP client provides the correct old
>>> password.
>>>
>>> E.g. OpenDS implements it like this and it makes sense to me regarding a user
>>> setting a new password in case of an expired password.
>>
>> Adding this feature would open up the pwdModify exop as a mechanism for
>> password guessing attacks.
>
> There could be still the bad password counter in effect just like when
> processing bind requests.

But there is no corresponding lockout action to take when a maxfailure limit 
is reached. I.e., it is impossible to lockout "anonymous". You thus open a 
security hole that cannot be closed.

Again - No.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: (ITS#6250) Password modify ext.op. - automagically add simpleSecurityObject
Next by Date: Re: (ITS#6250) Password modify ext.op. - automagically add simpleSecurityObject
Index(es):
- Chronological
- Thread