Re: 'Max login attempts' variable/config?

[GOMBAS Gabor <gombasg@inf.elte.hu>]

On Thu, Dec 14, 2000 at 09:56:23AM -0600, Randy Kunkee wrote:

> > I'd like to limit the number of tries a user can enter the wrong
> > password in one go...

> Sounds like you'd like to have this policy in the server.  However,
> I think this is problematic as there may be good reasons to bind
> to the server from various hosts within your organizations, and
> perhaps from outside (eg. address books).  This sort of thing should
> be implemented from the client, eg. the unix 'login' that exits after,
> say, 3 tries.

It's not clear to me: you are using LDAP to authenticate UNIX accounts, or
talking about authentication in the LDAP bind operation? If the former, then
you are partially right, it can be implemented in the clients (like login).
But you are wrong in the sense that the LDAP database should be protected
very well in this case. If you are talking about dictionary attacks against
the LDAP server itself, then you are wrong, only the slapd daemon is in the
position to check and limit the number of allowed authentication failures,
it cannot be done at the client side (for obvious reasons).

slapd currently does not implement such limitations (at least I do not know
about it). So if you allow just 'auth' access to the userPassword attribute
from untrusted sources, you are in a big trouble, as dictionary attacks can
be easily done without being noticed.

Conclusion: If you are concerned about dictionary attacks, you should not
allow any password-based authentication mechanisms from untrusted sources
(at least not until slapd implements limits for failed authentications).

Gabor

-- 
Gabor Gombas                                       Eotvos Lorand University
E-mail: gombasg@inf.elte.hu                        Hungary