[Date Prev][Date Next]
Re: (ITS#6249) Feature request: Password Modify ext. op. and anonymous LDAP connection
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#6249) Feature request: Password Modify ext. op. and anonymous LDAP connection
- From: email@example.com
- Date: Tue, 11 Aug 2009 20:05:40 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Michael Ströder wrote:
> firstname.lastname@example.org wrote:
>> email@example.com wrote:
>>> Full_Name: Michael Ströder
>>> Version: HEAD
>>> Submission from: (NULL) (126.96.36.199)
>>> I'd like to request that a Password Modify ext. op. request should succeed on a
>>> LDAP connection as anonymous if the LDAP client provides the correct old
>>> E.g. OpenDS implements it like this and it makes sense to me regarding a user
>>> setting a new password in case of an expired password.
>> Adding this feature would open up the pwdModify exop as a mechanism for
>> password guessing attacks.
> There could be still the bad password counter in effect just like when
> processing bind requests.
But there is no corresponding lockout action to take when a maxfailure limit
is reached. I.e., it is impossible to lockout "anonymous". You thus open a
security hole that cannot be closed.
Again - No.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/