mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
Added ppolicy_use_lockout keyword; Default behavior is not to issue the
PP_accountLocked error for locked accounts. (Gives too much information to attackers.)
This commit is contained in:
parent
def2fab7b5
commit
d1292c1b14
@ -25,9 +25,9 @@ policies, and there is no limit to the number of password policies
|
||||
that may be created.
|
||||
|
||||
.SH CONFIGURATION
|
||||
There is one
|
||||
These
|
||||
.B slapd.conf
|
||||
configuration option for the ppolicy overlay. It should appear
|
||||
configuration options apply to the ppolicy overlay. They should appear
|
||||
after the
|
||||
.B overlay
|
||||
directive.
|
||||
@ -36,6 +36,22 @@ directive.
|
||||
Specify the DN of the pwdPolicy object to use when no specific policy is
|
||||
set on a given user's entry. If there is no specific policy for an entry
|
||||
and no default is given, then no policies will be enforced.
|
||||
.TP
|
||||
.B ppolicy_use_lockout
|
||||
A client will always receive an LDAP
|
||||
.B InvalidCredentials
|
||||
response when
|
||||
Binding to a locked account. By default, when a Password Policy control
|
||||
was provided on the Bind request, a Password Policy response will be
|
||||
included with no special error code set. This option changes the
|
||||
Password Policy response to include the
|
||||
.B AccountLocked
|
||||
error code. Note
|
||||
that sending the
|
||||
.B AccountLocked
|
||||
error code provides useful information
|
||||
to an attacker; sites that are sensitive to security issues should not
|
||||
enable this option.
|
||||
|
||||
.SH OBJECT CLASS
|
||||
The
|
||||
|
@ -40,7 +40,7 @@
|
||||
/* Per-instance configuration information */
|
||||
typedef struct pp_info {
|
||||
struct berval def_policy; /* DN of default policy subentry */
|
||||
int hide_lockout; /* omit AccountLocked result? */
|
||||
int use_lockout; /* send AccountLocked result? */
|
||||
} pp_info;
|
||||
|
||||
/* Our per-connection info - note, it is not per-instance, it is
|
||||
@ -1050,7 +1050,7 @@ ppolicy_bind( Operation *op, SlapReply *rs )
|
||||
if ( rc ) {
|
||||
pp_info *pi = on->on_bi.bi_private;
|
||||
/* This will be the Draft 8 response, Unwilling is bogus */
|
||||
if ( !pi->hide_lockout ) ppb->pErr = PP_accountLocked;
|
||||
if ( pi->use_lockout ) ppb->pErr = PP_accountLocked;
|
||||
send_ldap_error( op, rs, LDAP_INVALID_CREDENTIALS, NULL );
|
||||
return rs->sr_err;
|
||||
}
|
||||
@ -1771,13 +1771,13 @@ ppolicy_config(
|
||||
return 1;
|
||||
}
|
||||
return 0;
|
||||
} else if ( strcasecmp( argv[0], "ppolicy_hide_lockout" ) == 0 ) {
|
||||
} else if ( strcasecmp( argv[0], "ppolicy_use_lockout" ) == 0 ) {
|
||||
if ( argc != 1 ) {
|
||||
fprintf( stderr, "%s: line %d: ppolicy_hide_lockout "
|
||||
fprintf( stderr, "%s: line %d: ppolicy_use_lockout "
|
||||
"takes no arguments\n", fname, lineno );
|
||||
return ( 1 );
|
||||
}
|
||||
pi->hide_lockout = 1;
|
||||
pi->use_lockout = 1;
|
||||
}
|
||||
return SLAP_CONF_UNKNOWN;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user