Added ppolicy_use_lockout keyword; Default behavior is not to issue the

PP_accountLocked error for locked accounts. (Gives too much information
to attackers.)

diff --git a/doc/man/man5/slapd-ppolicy.5 b/doc/man/man5/slapd-ppolicy.5
index a4ec53563de37592f1b82317d232a116e2f74ff5..bb9f27d1bca736a86e5b7bfcb6b97b07bd05f6a1 100644 (file)
--- a/doc/man/man5/slapd-ppolicy.5
+++ b/doc/man/man5/slapd-ppolicy.5
@@ -25,9 +25,9 @@ policies, and there is no limit to the number of password policies
 that may be created.
 
 .SH CONFIGURATION
-There is one
+These 
 .B slapd.conf
-configuration option for the ppolicy overlay. It should appear
+configuration options apply to the ppolicy overlay. They should appear
 after the
 .B overlay
 directive.
@@ -36,6 +36,22 @@ directive.
 Specify the DN of the pwdPolicy object to use when no specific policy is
 set on a given user's entry. If there is no specific policy for an entry
 and no default is given, then no policies will be enforced.
+.TP
+.B ppolicy_use_lockout
+A client will always receive an LDAP
+.B InvalidCredentials
+response when
+Binding to a locked account. By default, when a Password Policy control
+was provided on the Bind request, a Password Policy response will be
+included with no special error code set. This option changes the
+Password Policy response to include the
+.B AccountLocked
+error code. Note
+that sending the
+.B AccountLocked
+error code provides useful information
+to an attacker; sites that are sensitive to security issues should not
+enable this option.
 
 .SH OBJECT CLASS
 The 

diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c
index 0b68a2b5b7c2209be79cb6ada925e3d3d418d054..78ac231e64bad3e50c36b97d5ee6326b919eaa49 100644 (file)
--- a/servers/slapd/overlays/ppolicy.c
+++ b/servers/slapd/overlays/ppolicy.c
@@ -40,7 +40,7 @@
 /* Per-instance configuration information */
 typedef struct pp_info {
        struct berval def_policy;       /* DN of default policy subentry */
-       int hide_lockout;               /* omit AccountLocked result? */
+       int use_lockout;                /* send AccountLocked result? */
 } pp_info;
 
 /* Our per-connection info - note, it is not per-instance, it is 
@@ -1050,7 +1050,7 @@ ppolicy_bind( Operation *op, SlapReply *rs )
                if ( rc ) {
                        pp_info *pi = on->on_bi.bi_private;
                        /* This will be the Draft 8 response, Unwilling is bogus */
-                       if ( !pi->hide_lockout ) ppb->pErr = PP_accountLocked;
+                       if ( pi->use_lockout ) ppb->pErr = PP_accountLocked;
                        send_ldap_error( op, rs, LDAP_INVALID_CREDENTIALS, NULL );
                        return rs->sr_err;
                }
@@ -1771,13 +1771,13 @@ ppolicy_config(
                        return 1;
                }
                return 0;
-       } else if ( strcasecmp( argv[0], "ppolicy_hide_lockout" ) == 0 ) {
+       } else if ( strcasecmp( argv[0], "ppolicy_use_lockout" ) == 0 ) {
                if ( argc != 1 ) {
-                       fprintf( stderr, "%s: line %d: ppolicy_hide_lockout "
+                       fprintf( stderr, "%s: line %d: ppolicy_use_lockout "
                                "takes no arguments\n", fname, lineno );
                        return ( 1 );
                }
-               pi->hide_lockout = 1;
+               pi->use_lockout = 1;
        }
        return SLAP_CONF_UNKNOWN;
 }