[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6249) Feature request: Password Modify ext. op. and anonymous LDAP connection

hyc@symas.com wrote:
> Michael Ströder wrote:
>> hyc@symas.com wrote:
>>> michael@stroeder.com wrote:
>>>> Full_Name: Michael Ströder
>>>> Version: HEAD
>>>> OS:
>>>> URL:
>>>> Submission from: (NULL) (
>>>> I'd like to request that a Password Modify ext. op. request should succeed on a
>>>> LDAP connection as anonymous if the LDAP client provides the correct old
>>>> password.
>>>> E.g. OpenDS implements it like this and it makes sense to me regarding a user
>>>> setting a new password in case of an expired password.
>>> Adding this feature would open up the pwdModify exop as a mechanism for
>>> password guessing attacks.
>> There could be still the bad password counter in effect just like when
>> processing bind requests.
> But there is no corresponding lockout action to take when a maxfailure limit 
> is reached. I.e., it is impossible to lockout "anonymous". You thus open a 
> security hole that cannot be closed.

The password modify ext.op. request contains the DN (or username) of the entry
to which the old password belongs.

Since the old password is really checked you could apply the lockout to the
entry for which the password is going to be changed. (It fails with Server is
"unwilling to perform: unwilling to verify old password." even if the user is
bound on that connection.)

Ciao, Michael.