[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Password policy: possible DoS scenario
- To: "'openldap-technical@openldap.org'" <openldap-technical@openldap.org>
- Subject: Password policy: possible DoS scenario
- From: Konstantin Boyandin <temmokan@gmail.com>
- Date: Tue, 01 Mar 2011 11:23:41 +0600
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:message-id:date:from:user-agent:mime-version:to :subject:x-enigmail-version:content-type:content-transfer-encoding; bh=M7kCh6JxhGl+X8ohZs/QFkjjawqyG/z5gB4QOTp/w+s=; b=RdCaoVs0CSklF32Fb+R5ysoxUpteimnhVB44q/QDCFcRaDX9YIKehviU8M+k3A7nbp BBWXbdI1Koq6VAFsBoihe6/nfoDSI2tlcqYB6LlCz+hok4sKbZdqqYeSIPft3slElqtN u10til51i471+fouvsTmXdHqEiZtT5BDrZn0k=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :x-enigmail-version:content-type:content-transfer-encoding; b=Kyb2Wq3cbdU3UeCCD/pHF9LJs4mESu3S+7t1vp3YDo0j7txTZRgwsGxmAU2wEILae1 RcPvH1sCEgRGPsQEb6YpOltRxlPizR4753uFc8T9l1qaRCC0QhIsNV6AhTCHIVIp9yR7 QKOxw/OxtBcRkbgxxlZQbw0AicDfLQshDnieo=
- User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101209 Fedora/3.1.7-0.35.b3pre.fc14 Thunderbird/3.1.7
Hello,
Thanks to everyone having answered me earlier, I've managed to set up
password policy on the OpenLDAP provided in CentOS 5.5 repositories
(current version 2.3.43).
The setup: we have password policy enabled for users accounts in our
intranet. After 5 unsuccessful attempts the account is blocked for short
duration (30 seconds).
Does that mean that anyone now can keep all the accounts blocked most of
the time? Am I right that if anyone enters someone else' incorrect
password 5 times (in the given case), they will block the target account
(regardless of what IP address the attacker was connecting from)?
Narrower question: do password policy module developers plan to take
into account what IPs are used to connect (thus, blocking only access
from specific IPs)?
Thanks.
All the best,
Konstantin