[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Server side delay for bad passwords?

Dan White skrev, on 07-02-2008 18:42:


I understand that I could implement the password policy overlay to temporarily lockout an account once it's reached a certain number of bad password attempts, but I believe that only applies to simple (-x) binds. Is that correct?

My site's running ppolicy on 2.3 on Linux for gdm logins with great success; however, my understanding is, that it only cares about pam/pam_exop calls (presumably also similar from dedicated client or proxy software). Looking at the relevant operational attributes in gq, one can see that each failed login is recorded tn the pwdFailureTime attribute. Doing a repeated ldapsearch -x on an account with an invalid password doesn't make the blindest bit of difference to this attribute and multiple failed attempts are allowed.

I've also wanted what you want but refuse to publish site email addresses on the Internet to all and sundry. At the moment authorized users can obtain site-specific info by logging into webmail, which uses LDAP internally.



Tony Earnshaw
Email: tonni at hetnet dot nl