[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: search right and attribute existence



Michael Ströder <michael@stroeder.com> wrote:

> To deal with brute-force attempts you have to establish central
> logging with appropriate log watchers which alarm you in case
> of a brute-force attack.

What about this line of defense?

overlay                 rwm
rwm-rewriteEngine       on
rwm-rewriteContext      searchFilter
rwm-rewriteRule  "(.*\\()?secret=[^\\)]*(\\).*)?" "$1secret=*$2"

This turns any search filter against the secret attribute into * in
order to thwart brute force attempt. Used with a search level ACL, this
will cause the server will only reveal if the attribute is present or
not. 

I gave it a try and it seems to work. Any comment?

An improvement would be to exempt some users (a group) from this rule.
Any idea how I can do that?

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@netbsd.org