I'm planning on allowing public access to my OpenLDAP server for address book access. I'm only planning to allow authenticated access, both via simple binds and SASL binds, not anonymously.
Is there an approach to preventing a brute force attack at guessing an entry's password? I've noticed that with my configuration, when performing an ldapwhoami or ldapsearch, and when submitting an incorrect password, I receive an immediate response that the password is bad, rather than a delay which I would like to have.
I'm using version 2.3.39.
In other words, this is what I get today:
~# time ldapsearch -Y DIGEST-MD5 -U abrown@olp.net -w badpassword SASL/DIGEST-MD5 authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): authentication failure: client response doesn't match what we generated
real 0m0.015s user 0m0.012s sys 0m0.004s
But I'd like to enforce a server side delay of, for example, 5 seconds.
I understand that I could implement the password policy overlay to temporarily lockout an account once it's reached a certain number of bad password attempts, but I believe that only applies to simple (-x) binds. Is that correct?
Thanks, - Dan White