Michael Ströder wrote:
hyc@symas.com wrote:
michael@stroeder.com wrote:
Full_Name: Michael Ströder Version: HEAD OS: URL: Submission from: (NULL) (84.163.50.194)
I'd like to request that a Password Modify ext. op. request should succeed on a LDAP connection as anonymous if the LDAP client provides the correct old password.
E.g. OpenDS implements it like this and it makes sense to me regarding a user setting a new password in case of an expired password.
Adding this feature would open up the pwdModify exop as a mechanism for password guessing attacks.
There could be still the bad password counter in effect just like when processing bind requests.
But there is no corresponding lockout action to take when a maxfailure limit is reached. I.e., it is impossible to lockout "anonymous". You thus open a security hole that cannot be closed.
Again - No.