[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Server side delay for bad passwords?

To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Subject: Re: Server side delay for bad passwords?
From: Dan White <dwhite@olp.net>
Date: Thu, 07 Feb 2008 13:37:20 -0600
Cc: openldap-software@openldap.org
In-reply-to: <hbf.20080207zb4p@bombur.uio.no>
References: <47AB42FD.9070305@olp.net> <hbf.20080207zb4p@bombur.uio.no>
User-agent: Mozilla-Thunderbird 2.0.0.6 (X11/20071008)

Hallvard B Furuseth wrote:

Dan White writes:

I'm planning on allowing public access to my OpenLDAP server for
address book access. I'm only planning to allow authenticated
access, both via simple binds and SASL binds, not anonymously.
(...)
But I'd like to enforce a server side delay of, for example, 5
seconds.

Several seconds' delay?  Your users would murder you.  Except the ones
who didn't know LDAP already and just concluded that LDAP is crap.

I'd only want a delay when a user/attacker has entered a bad password, similar to the way a UNIX shell introduces a delay. My concern is that the faster I tune my server, the more likely it will become that an attacker will brute force a password.

Don't know, but the manpage doesn't mention "simple", only "bind".

I've seen mention on the list before that ppolicy does not apply to SASL binds, and that's been my experience in testing as well.

- Dan

Follow-Ups:
- Re: Server side delay for bad passwords?
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: Server side delay for bad passwords?
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>

References:
- Server side delay for bad passwords?
  - From: Dan White <dwhite@olp.net>
- Re: Server side delay for bad passwords?
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: [JunkMail] Re: Server side delay for bad passwords?
Next by Date: Re: [JunkMail] Re: Server side delay for bad passwords?
Index(es):
- Chronological
- Thread