Hello,
currently, granularity of pwdGraceUseTime is one second. This allows client to successfully bind with old password as many times as they want during N seconds (where N is equal to pwdGraceAuthnLimit) which may be unwanted. Would it be possible to increase the granularity, and if so, what size would make sense? Could it be made configurable?
FWIW, I know that basically every major LDAP server has one second granularity, and that this does not mitigate the actual issue (only lowers the time window during which this can be misused).
Thanks and regards.
--On Wednesday, March 13, 2019 5:49 PM +0100 Matus Honek mhonek@redhat.com wrote:
Hello,
currently, granularity of pwdGraceUseTime is one second. This allows client to successfully bind with old password as many times as they want during N seconds (where N is equal to pwdGraceAuthnLimit) which may be unwanted. Would it be possible to increase the granularity, and if so, what size would make sense? Could it be made configurable?
I would suggest filing an ITS along the lines of ITS#7161.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
Matus Honek -
Quanah Gibson-Mount