ppolicy and repeated password

To: openldap-technical@openldap.org

Subject: ppolicy and repeated password

From: Stefano Zanmarchi <zanmarchi@gmail.com>

Date: Wed, 3 Sep 2014 12:46:01 +0200

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=548nYSsGDBGAKjtsCit7ZzSF9Mk2d1Njo7UfYAykPCM=; b=n8h6QhDx6fr42Pyp1UcT5u3UhDyq7G2opbNSP8NerVhk2MqBiBwbluyZCthDjqUSde +fVb2kDXAMUKsTh9wRUxw53Km5Ba9KsKHV1meMcMXNhOlFaVaHMLVuf9g/+fOXFdqYJe UuoKb6NHxhm3T+raB9CPelq7g/TfHkFoVl6sF5qzkrEMrZHvMWncIKZ3AlrTWmsZhhn1 H3fV67jF6+5k73MTnhu53NnrS6ASZGtrN7vLCsroA5qYrwckz/1Pc8j8mLUvtJjC08nz TCaI5F5WFqReVUM1d7h8CpkA2pzzTEK1aOuzHtmbiZFiGQkOm97cBrCI0RG7+UByGnqD xM3A==

Hi all,

we'd like to use the ppolicy overlay to implement password locking after

a certain number of bind failures. Sadly ppolicy does not distinguish between

failures with different passwords (probably a dictionary attack) and failures

with the same password (a client using an old, expired, password).

This would easily lead to locking out users shortly after password change.

I read that Zytrax has developed for Mozilla a modified version of ppolicy:

http://www.zytrax.com/books/ldap/ch6/ppolicy.html

which can distinguish between unique and repeated passwords.

The page states the modified mozilla-ppolicy is available for openldap

2.4.11 and 2.4.16.

Has anyone tried it with a newer version of openldap? Is it working?

Thank you in advance,

Stefano