[Date Prev][Date Next] [Chronological] [Thread] [Top]

On pwdGraceUseTime granularity

To: openldap-technical@openldap.org
Subject: On pwdGraceUseTime granularity
From: Matus Honek <mhonek@redhat.com>
Date: Wed, 13 Mar 2019 16:49:04 +0100

Hello,

currently, granularity of pwdGraceUseTime is one second. This allows
client to successfully bind with old password as many times as they
want during N seconds (where N is equal to pwdGraceAuthnLimit) which
may be unwanted. Would it be possible to increase the granularity, and
if so, what size would make sense? Could it be made configurable?

FWIW, I know that basically every major LDAP server has one second
granularity, and that this does not mitigate the actual issue (only
lowers the time window during which this can be misused).

Thanks and regards.
-- 
Matúš Honěk
Software Engineer
Red Hat Czech

Follow-Ups:
- Re: On pwdGraceUseTime granularity
  - From: Quanah Gibson-Mount <quanah@symas.com>

Prev by Date: Re: LDAP authentication with just sAMAccountName
Next by Date: Re: On pwdGraceUseTime granularity
Index(es):
- Chronological
- Thread