Added ppolicy_use_lockout keyword; Default behavior is not to issue the

PP_accountLocked error for locked accounts. (Gives too much information
to attackers.)
This commit is contained in:
Howard Chu 2004-03-18 10:35:54 +00:00
parent def2fab7b5
commit d1292c1b14
2 changed files with 23 additions and 7 deletions

View File

@ -25,9 +25,9 @@ policies, and there is no limit to the number of password policies
that may be created.
.SH CONFIGURATION
There is one
These
.B slapd.conf
configuration option for the ppolicy overlay. It should appear
configuration options apply to the ppolicy overlay. They should appear
after the
.B overlay
directive.
@ -36,6 +36,22 @@ directive.
Specify the DN of the pwdPolicy object to use when no specific policy is
set on a given user's entry. If there is no specific policy for an entry
and no default is given, then no policies will be enforced.
.TP
.B ppolicy_use_lockout
A client will always receive an LDAP
.B InvalidCredentials
response when
Binding to a locked account. By default, when a Password Policy control
was provided on the Bind request, a Password Policy response will be
included with no special error code set. This option changes the
Password Policy response to include the
.B AccountLocked
error code. Note
that sending the
.B AccountLocked
error code provides useful information
to an attacker; sites that are sensitive to security issues should not
enable this option.
.SH OBJECT CLASS
The

View File

@ -40,7 +40,7 @@
/* Per-instance configuration information */
typedef struct pp_info {
struct berval def_policy; /* DN of default policy subentry */
int hide_lockout; /* omit AccountLocked result? */
int use_lockout; /* send AccountLocked result? */
} pp_info;
/* Our per-connection info - note, it is not per-instance, it is
@ -1050,7 +1050,7 @@ ppolicy_bind( Operation *op, SlapReply *rs )
if ( rc ) {
pp_info *pi = on->on_bi.bi_private;
/* This will be the Draft 8 response, Unwilling is bogus */
if ( !pi->hide_lockout ) ppb->pErr = PP_accountLocked;
if ( pi->use_lockout ) ppb->pErr = PP_accountLocked;
send_ldap_error( op, rs, LDAP_INVALID_CREDENTIALS, NULL );
return rs->sr_err;
}
@ -1771,13 +1771,13 @@ ppolicy_config(
return 1;
}
return 0;
} else if ( strcasecmp( argv[0], "ppolicy_hide_lockout" ) == 0 ) {
} else if ( strcasecmp( argv[0], "ppolicy_use_lockout" ) == 0 ) {
if ( argc != 1 ) {
fprintf( stderr, "%s: line %d: ppolicy_hide_lockout "
fprintf( stderr, "%s: line %d: ppolicy_use_lockout "
"takes no arguments\n", fname, lineno );
return ( 1 );
}
pi->hide_lockout = 1;
pi->use_lockout = 1;
}
return SLAP_CONF_UNKNOWN;
}