[Date Prev][Date Next] [Chronological] [Thread] [Top]

Server side delay for bad passwords?

I'm planning on allowing public access to my OpenLDAP server for address book access. I'm only planning to allow authenticated access, both via simple binds and SASL binds, not anonymously.

Is there an approach to preventing a brute force attack at guessing an entry's password? I've noticed that with my configuration, when performing an ldapwhoami or ldapsearch, and when submitting an incorrect password, I receive an immediate response that the password is bad, rather than a delay which I would like to have.

I'm using version 2.3.39.

In other words, this is what I get today:

~# time ldapsearch -Y DIGEST-MD5 -U abrown@olp.net -w badpassword
SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): authentication failure: client response doesn't match what we generated

real    0m0.015s
user    0m0.012s
sys     0m0.004s

But I'd like to enforce a server side delay of, for example, 5 seconds.

I understand that I could implement the password policy overlay to temporarily lockout an account once it's reached a certain number of bad password attempts, but I believe that only applies to simple (-x) binds. Is that correct?

- Dan White