Hallvard B Furuseth wrote:
Dan White writes:
I'm planning on allowing public access to my OpenLDAP server for address book access. I'm only planning to allow authenticated access, both via simple binds and SASL binds, not anonymously. (...) But I'd like to enforce a server side delay of, for example, 5 seconds.
Several seconds' delay? Your users would murder you. Except the ones who didn't know LDAP already and just concluded that LDAP is crap.
I'd only want a delay when a user/attacker has entered a bad password, similar to the way a UNIX shell introduces a delay. My concern is that the faster I tune my server, the more likely it will become that an attacker will brute force a password.
Don't know, but the manpage doesn't mention "simple", only "bind".
I've seen mention on the list before that ppolicy does not apply to SASL binds, and that's been my experience in testing as well.
- Dan