[email protected] wrote: > [email protected] wrote: >> Full_Name: Michael Ströder >> Version: HEAD >> OS: >> URL: >> Submission from: (NULL) (84.163.50.194) >> >> I'd like to request that a Password Modify ext. op. request should succeed >> on a >> LDAP connection as anonymous if the LDAP client provides the correct old >> password. >> >> E.g. OpenDS implements it like this and it makes sense to me regarding a user >> setting a new password in case of an expired password. > > Adding this feature would open up the pwdModify exop as a mechanism for > password guessing attacks.
There could be still the bad password counter in effect just like when processing bind requests. Ciao, Michael.
