[Date Prev][Date Next]
Re: (ITS#6249) Feature request: Password Modify ext. op. and anonymous LDAP connection
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#6249) Feature request: Password Modify ext. op. and anonymous LDAP connection
- From: firstname.lastname@example.org
- Date: Tue, 11 Aug 2009 19:36:30 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
> Full_Name: Michael Ströder
> Version: HEAD
> Submission from: (NULL) (220.127.116.11)
> I'd like to request that a Password Modify ext. op. request should succeed on a
> LDAP connection as anonymous if the LDAP client provides the correct old
> E.g. OpenDS implements it like this and it makes sense to me regarding a user
> setting a new password in case of an expired password.
Adding this feature would open up the pwdModify exop as a mechanism for
password guessing attacks. In fact, in the next draft of the ppolicy spec I
was intending to explicitly forbid this type of usage, to prevent such attacks.
The ppolicy spec provides for grace logins after a password is expired, to
give users a few last opportunities to change their password. If they don't
take advantage of those grace logins, then they are out of luck and must get
help from a password administrator.
I'm going to reject this ITS.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/