Re: (ITS#6249) Feature request: Password Modify ext. op. and anonymous LDAP connection

[hyc@symas.com]

Michael Ströder wrote:
> hyc@symas.com wrote:
>> Michael Ströder wrote:
>>> hyc@symas.com wrote:
>>>> michael@stroeder.com wrote:
>>>>> Full_Name: Michael Ströder
>>>>> Version: HEAD
>>>>> OS:
>>>>> URL:
>>>>> Submission from: (NULL) (84.163.50.194)
>>>>>
>>>>> I'd like to request that a Password Modify ext. op. request should succeed on a
>>>>> LDAP connection as anonymous if the LDAP client provides the correct old
>>>>> password.
>>>>>
>>>>> E.g. OpenDS implements it like this and it makes sense to me regarding a user
>>>>> setting a new password in case of an expired password.
>>>> Adding this feature would open up the pwdModify exop as a mechanism for
>>>> password guessing attacks.
>>> There could be still the bad password counter in effect just like when
>>> processing bind requests.
>>
>> But there is no corresponding lockout action to take when a maxfailure limit
>> is reached. I.e., it is impossible to lockout "anonymous". You thus open a
>> security hole that cannot be closed.
>
> The password modify ext.op. request contains the DN (or username) of the entry
> to which the old password belongs.
>
> Since the old password is really checked you could apply the lockout to the
> entry for which the password is going to be changed. (It fails with Server is
> "unwilling to perform: unwilling to verify old password." even if the user is
> bound on that connection.)

You're still not thinking this through. One of the basic principles of 
security design is to reduce the number of possible attack surfaces. You are 
deliberately opening up a new attack vector with no real benefit. Since grace 
logins are already supported, your proposal doesn't benefit any real users. It 
only benefits potential attackers.

Closing this ITS.
-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/