[Date Prev][Date Next]
Server side delay for bad passwords?
I'm planning on allowing public access to my OpenLDAP server for
address book access. I'm only planning to allow authenticated
access, both via simple binds and SASL binds, not anonymously.
Is there an approach to preventing a brute force attack at
guessing an entry's password? I've noticed that with my
configuration, when performing an ldapwhoami or ldapsearch, and
when submitting an incorrect password, I receive an immediate
response that the password is bad, rather than a delay which I
would like to have.
I'm using version 2.3.39.
In other words, this is what I get today:
~# time ldapsearch -Y DIGEST-MD5 -U firstname.lastname@example.org -w badpassword
SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): authentication failure:
client response doesn't match what we generated
But I'd like to enforce a server side delay of, for example, 5
I understand that I could implement the password policy overlay
to temporarily lockout an account once it's reached a certain
number of bad password attempts, but I believe that only applies
to simple (-x) binds. Is that correct?
- Dan White