mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-01-12 10:54:48 +08:00
Added ppolicy_use_lockout keyword; Default behavior is not to issue the
PP_accountLocked error for locked accounts. (Gives too much information to attackers.)
This commit is contained in:
parent
def2fab7b5
commit
d1292c1b14
@ -25,9 +25,9 @@ policies, and there is no limit to the number of password policies
|
|||||||
that may be created.
|
that may be created.
|
||||||
|
|
||||||
.SH CONFIGURATION
|
.SH CONFIGURATION
|
||||||
There is one
|
These
|
||||||
.B slapd.conf
|
.B slapd.conf
|
||||||
configuration option for the ppolicy overlay. It should appear
|
configuration options apply to the ppolicy overlay. They should appear
|
||||||
after the
|
after the
|
||||||
.B overlay
|
.B overlay
|
||||||
directive.
|
directive.
|
||||||
@ -36,6 +36,22 @@ directive.
|
|||||||
Specify the DN of the pwdPolicy object to use when no specific policy is
|
Specify the DN of the pwdPolicy object to use when no specific policy is
|
||||||
set on a given user's entry. If there is no specific policy for an entry
|
set on a given user's entry. If there is no specific policy for an entry
|
||||||
and no default is given, then no policies will be enforced.
|
and no default is given, then no policies will be enforced.
|
||||||
|
.TP
|
||||||
|
.B ppolicy_use_lockout
|
||||||
|
A client will always receive an LDAP
|
||||||
|
.B InvalidCredentials
|
||||||
|
response when
|
||||||
|
Binding to a locked account. By default, when a Password Policy control
|
||||||
|
was provided on the Bind request, a Password Policy response will be
|
||||||
|
included with no special error code set. This option changes the
|
||||||
|
Password Policy response to include the
|
||||||
|
.B AccountLocked
|
||||||
|
error code. Note
|
||||||
|
that sending the
|
||||||
|
.B AccountLocked
|
||||||
|
error code provides useful information
|
||||||
|
to an attacker; sites that are sensitive to security issues should not
|
||||||
|
enable this option.
|
||||||
|
|
||||||
.SH OBJECT CLASS
|
.SH OBJECT CLASS
|
||||||
The
|
The
|
||||||
|
@ -40,7 +40,7 @@
|
|||||||
/* Per-instance configuration information */
|
/* Per-instance configuration information */
|
||||||
typedef struct pp_info {
|
typedef struct pp_info {
|
||||||
struct berval def_policy; /* DN of default policy subentry */
|
struct berval def_policy; /* DN of default policy subentry */
|
||||||
int hide_lockout; /* omit AccountLocked result? */
|
int use_lockout; /* send AccountLocked result? */
|
||||||
} pp_info;
|
} pp_info;
|
||||||
|
|
||||||
/* Our per-connection info - note, it is not per-instance, it is
|
/* Our per-connection info - note, it is not per-instance, it is
|
||||||
@ -1050,7 +1050,7 @@ ppolicy_bind( Operation *op, SlapReply *rs )
|
|||||||
if ( rc ) {
|
if ( rc ) {
|
||||||
pp_info *pi = on->on_bi.bi_private;
|
pp_info *pi = on->on_bi.bi_private;
|
||||||
/* This will be the Draft 8 response, Unwilling is bogus */
|
/* This will be the Draft 8 response, Unwilling is bogus */
|
||||||
if ( !pi->hide_lockout ) ppb->pErr = PP_accountLocked;
|
if ( pi->use_lockout ) ppb->pErr = PP_accountLocked;
|
||||||
send_ldap_error( op, rs, LDAP_INVALID_CREDENTIALS, NULL );
|
send_ldap_error( op, rs, LDAP_INVALID_CREDENTIALS, NULL );
|
||||||
return rs->sr_err;
|
return rs->sr_err;
|
||||||
}
|
}
|
||||||
@ -1771,13 +1771,13 @@ ppolicy_config(
|
|||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
return 0;
|
return 0;
|
||||||
} else if ( strcasecmp( argv[0], "ppolicy_hide_lockout" ) == 0 ) {
|
} else if ( strcasecmp( argv[0], "ppolicy_use_lockout" ) == 0 ) {
|
||||||
if ( argc != 1 ) {
|
if ( argc != 1 ) {
|
||||||
fprintf( stderr, "%s: line %d: ppolicy_hide_lockout "
|
fprintf( stderr, "%s: line %d: ppolicy_use_lockout "
|
||||||
"takes no arguments\n", fname, lineno );
|
"takes no arguments\n", fname, lineno );
|
||||||
return ( 1 );
|
return ( 1 );
|
||||||
}
|
}
|
||||||
pi->hide_lockout = 1;
|
pi->use_lockout = 1;
|
||||||
}
|
}
|
||||||
return SLAP_CONF_UNKNOWN;
|
return SLAP_CONF_UNKNOWN;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user