Re: (ITS#6249) Feature request: Password Modify ext. op. and anonymous LDAP connection - openldap-bugs

11 Aug 2009


      michael@stroeder.com wrote:
...
Full_Name: Michael Ströder
Version: HEAD
OS:
URL:
Submission from: (NULL) (84.163.50.194)
I'd like to request that a Password Modify ext. op. request should succeed on a
LDAP connection as anonymous if the LDAP client provides the correct old
password.
E.g. OpenDS implements it like this and it makes sense to me regarding a user
setting a new password in case of an expired password.
Adding this feature would open up the pwdModify exop as a mechanism for 
password guessing attacks. In fact, in the next draft of the ppolicy spec I 
was intending to explicitly forbid this type of usage, to prevent such attacks.
http://www.openldap.org/lists/ietf-ldapext/200908/msg00006.html
The ppolicy spec provides for grace logins after a password is expired, to 
give users a few last opportunities to change their password. If they don't 
take advantage of those grace logins, then they are out of luck and must get 
help from a password administrator.
I'm going to reject this ITS.
-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/