[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Server side delay for bad passwords?

Hallvard B Furuseth wrote:
Dan White writes:
I'm planning on allowing public access to my OpenLDAP server for
address book access. I'm only planning to allow authenticated
access, both via simple binds and SASL binds, not anonymously.
But I'd like to enforce a server side delay of, for example, 5
Several seconds' delay?  Your users would murder you.  Except the ones
who didn't know LDAP already and just concluded that LDAP is crap.

I'd only want a delay when a user/attacker has entered a bad password, similar to the way a UNIX shell introduces a delay. My concern is that the faster I tune my server, the more likely it will become that an attacker will brute force a password.

Don't know, but the manpage doesn't mention "simple", only "bind".

I've seen mention on the list before that ppolicy does not apply to SASL binds, and that's been my experience in testing as well.

- Dan