OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Software Enhancements/5911
Full headers

From: aravind@freeshell.org
Subject: password policy - alternate lockout mechanism
Compose comment
Download message
State:
0 replies:
0 followups:

Major security issue: yes  no

Notes:

Notification:


Date: Wed, 28 Jan 2009 22:57:10 GMT
From: aravind@freeshell.org
To: openldap-its@OpenLDAP.org
Subject: password policy - alternate lockout mechanism
Full_Name: Aravind Gottipati
Version: 2.4.13
OS: Linux - RHEL5
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (63.245.220.241)


I'd like to propose a change to how the password lockouts work.  The current
system does not differentiate between multiple bind attempts with a single (or
even a few) incorrect password(s) vs. multiple bind attempts with different
incorrect passwords.  

In our case, this results in a ton of false positives when folks change their
password, but don't propagate their password change to all the
applications/machines that use it.  This causes a bunch of un-necessary
lockouts.  A real crack attempt on the other hand would most likely try a bunch
of passwords (none of which repeat).

I have posted the same on the openldap-software mailing lists and Jeff Clowser
proposed a scheme that should work to solve the problem.  

Record each failed bind attempt as a (hash,timestamp) pair.  If there is another
failed attempt, check the password against these (hash, timestamp) pairs and
update the timestamp if the hash is found.  If its a new password that hasn't
been attempted before, then create a new (hash,timestamp) pair.  Lock the
account out if there are more than pwdMaxFailure hashes stored.

http://www.openldap.org/lists/openldap-software/200901/msg00147.html

Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org