From d1292c1b1468fc55a95e680c04af0f4c26209ad8 Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Thu, 18 Mar 2004 10:35:54 +0000 Subject: [PATCH] Added ppolicy_use_lockout keyword; Default behavior is not to issue the PP_accountLocked error for locked accounts. (Gives too much information to attackers.) --- doc/man/man5/slapd-ppolicy.5 | 20 ++++++++++++++++++-- servers/slapd/overlays/ppolicy.c | 10 +++++----- 2 files changed, 23 insertions(+), 7 deletions(-) diff --git a/doc/man/man5/slapd-ppolicy.5 b/doc/man/man5/slapd-ppolicy.5 index a4ec53563d..bb9f27d1bc 100644 --- a/doc/man/man5/slapd-ppolicy.5 +++ b/doc/man/man5/slapd-ppolicy.5 @@ -25,9 +25,9 @@ policies, and there is no limit to the number of password policies that may be created. .SH CONFIGURATION -There is one +These .B slapd.conf -configuration option for the ppolicy overlay. It should appear +configuration options apply to the ppolicy overlay. They should appear after the .B overlay directive. @@ -36,6 +36,22 @@ directive. Specify the DN of the pwdPolicy object to use when no specific policy is set on a given user's entry. If there is no specific policy for an entry and no default is given, then no policies will be enforced. +.TP +.B ppolicy_use_lockout +A client will always receive an LDAP +.B InvalidCredentials +response when +Binding to a locked account. By default, when a Password Policy control +was provided on the Bind request, a Password Policy response will be +included with no special error code set. This option changes the +Password Policy response to include the +.B AccountLocked +error code. Note +that sending the +.B AccountLocked +error code provides useful information +to an attacker; sites that are sensitive to security issues should not +enable this option. .SH OBJECT CLASS The diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c index 0b68a2b5b7..78ac231e64 100644 --- a/servers/slapd/overlays/ppolicy.c +++ b/servers/slapd/overlays/ppolicy.c @@ -40,7 +40,7 @@ /* Per-instance configuration information */ typedef struct pp_info { struct berval def_policy; /* DN of default policy subentry */ - int hide_lockout; /* omit AccountLocked result? */ + int use_lockout; /* send AccountLocked result? */ } pp_info; /* Our per-connection info - note, it is not per-instance, it is @@ -1050,7 +1050,7 @@ ppolicy_bind( Operation *op, SlapReply *rs ) if ( rc ) { pp_info *pi = on->on_bi.bi_private; /* This will be the Draft 8 response, Unwilling is bogus */ - if ( !pi->hide_lockout ) ppb->pErr = PP_accountLocked; + if ( pi->use_lockout ) ppb->pErr = PP_accountLocked; send_ldap_error( op, rs, LDAP_INVALID_CREDENTIALS, NULL ); return rs->sr_err; } @@ -1771,13 +1771,13 @@ ppolicy_config( return 1; } return 0; - } else if ( strcasecmp( argv[0], "ppolicy_hide_lockout" ) == 0 ) { + } else if ( strcasecmp( argv[0], "ppolicy_use_lockout" ) == 0 ) { if ( argc != 1 ) { - fprintf( stderr, "%s: line %d: ppolicy_hide_lockout " + fprintf( stderr, "%s: line %d: ppolicy_use_lockout " "takes no arguments\n", fname, lineno ); return ( 1 ); } - pi->hide_lockout = 1; + pi->use_lockout = 1; } return SLAP_CONF_UNKNOWN; } -- 2.39.5