[email protected] wrote: > Full_Name: Michael Ströder > Version: HEAD > OS: > URL: > Submission from: (NULL) (84.163.50.194) > > > I'd like to request that a Password Modify ext. op. request should succeed on > a > LDAP connection as anonymous if the LDAP client provides the correct old > password. > > E.g. OpenDS implements it like this and it makes sense to me regarding a user > setting a new password in case of an expired password.
Adding this feature would open up the pwdModify exop as a mechanism for password guessing attacks. In fact, in the next draft of the ppolicy spec I was intending to explicitly forbid this type of usage, to prevent such attacks. http://www.openldap.org/lists/ietf-ldapext/200908/msg00006.html The ppolicy spec provides for grace logins after a password is expired, to give users a few last opportunities to change their password. If they don't take advantage of those grace logins, then they are out of luck and must get help from a password administrator. I'm going to reject this ITS. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
