Michael Ströder wrote:
hyc@symas.com wrote:
Michael Ströder wrote:
hyc@symas.com wrote:
michael@stroeder.com wrote:
Full_Name: Michael Ströder Version: HEAD OS: URL: Submission from: (NULL) (84.163.50.194)
I'd like to request that a Password Modify ext. op. request should succeed on a LDAP connection as anonymous if the LDAP client provides the correct old password.
E.g. OpenDS implements it like this and it makes sense to me regarding a user setting a new password in case of an expired password.
Adding this feature would open up the pwdModify exop as a mechanism for password guessing attacks.
There could be still the bad password counter in effect just like when processing bind requests.
But there is no corresponding lockout action to take when a maxfailure limit is reached. I.e., it is impossible to lockout "anonymous". You thus open a security hole that cannot be closed.
The password modify ext.op. request contains the DN (or username) of the entry to which the old password belongs.
Since the old password is really checked you could apply the lockout to the entry for which the password is going to be changed. (It fails with Server is "unwilling to perform: unwilling to verify old password." even if the user is bound on that connection.)
You're still not thinking this through. One of the basic principles of security design is to reduce the number of possible attack surfaces. You are deliberately opening up a new attack vector with no real benefit. Since grace logins are already supported, your proposal doesn't benefit any real users. It only benefits potential attackers.
Closing this ITS.