[Date Prev][Date Next]
Re: Server side delay for bad passwords?
On Friday 08 February 2008 08:11:58 Tony Earnshaw wrote:
> Dan White skrev, on 07-02-2008 18:42:
> > I understand that I could implement the password policy overlay to
> > temporarily lockout an account once it's reached a certain number of bad
> > password attempts, but I believe that only applies to simple (-x) binds.
> > Is that correct?
> My site's running ppolicy on 2.3 on Linux for gdm logins with great
> success; however, my understanding is, that it only cares about
> pam/pam_exop calls (presumably also similar from dedicated client or
> proxy software).
exop only affects how passwords are changed, not what the client sends on a
simple bind request.
> Looking at the relevant operational attributes in gq,
> one can see that each failed login is recorded tn the pwdFailureTime
> attribute. Doing a repeated ldapsearch -x on an account with an invalid
> password doesn't make the blindest bit of difference to this attribute
> and multiple failed attempts are allowed.
Uh, when binding as the DN in question, or not (your ldapsearch -x is
In the testing I did a while back (where I used ldapwhoami), simple binds with
and without the ppolicy control both resulted in lockout (but the one with
the control would warn about impending expiry when testing expiry). In fact,
I broke replication on one of the dev slaves that was using a simple bind in
the syncrepl configuration.