Content preview: On Mon, Apr 20, 2015 at 07:28:31PM +0200, Michael Ströder
wrote: > ***@hrz.uni-marburg.de wrote: > >Whenever a login fails due
to a invalid password, the ppolicy-module will > >count this as a failure.
After a configurable number of password failures in a > >given time, ppolicy
will take action and - for example - lock the acount. I > >have tried to
tweak this behaviour: When the password is found in the password > >history,
the ppolicy-module will not count this as a password failure. If > >anyone
is interested in this, please find the attached patch which also > >includes
a working example configuration/testcase. > > I guess this change would open
a can of worms, e.g. when password > expiry is in effect. [...]

Content analysis details: (-4.2 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
trust
[194.106.223.201 listed in list.dnswl.org]
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
-0.0 SPF_PASS SPF: sender matches SPF record
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
Cc: ***@hrz.uni-marburg.de, openldap-***@openldap.org
X-BeenThere: openldap-***@openldap.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OpenLDAP development discussion list <openldap-devel.openldap.org>
List-Unsubscribe: <http://www.openldap.org/lists/mm/options/openldap-devel>,
<mailto:openldap-devel-***@openldap.org?subject=unsubscribe>
List-Archive: <http://www.openldap.org/lists/openldap-devel/>
List-Post: <mailto:openldap-***@openldap.org>
List-Help: <mailto:openldap-devel-***@openldap.org?subject=help>
List-Subscribe: <http://www.openldap.org/lists/mm/listinfo/openldap-devel>,
<mailto:openldap-devel-***@openldap.org?subject=subscribe>
Errors-To: openldap-devel-***@openldap.org
Sender: "openldap-devel" <openldap-devel-***@openldap.org>
X-Spam-Score: -4.2 (----)
X-Spam-Report: Spam detection software, running on the system "gauss.openldap.net", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: On Mon, Apr 20, 2015 at 07:28:31PM +0200, Michael Ströder
wrote: > ***@hrz.uni-marburg.de wrote: > >Whenever a login fails due
to a invalid password, the ppolicy-module will > >count this as a failure.
After a configurable number of password failures in a > >given time, ppolicy
will take action and - for example - lock the acount. I > >have tried to
tweak this behaviour: When the password is found in the password > >history,
the ppolicy-module will not count this as a password failure. If > >anyone
is interested in this, please find the attached patch which also > >includes
a working example configuration/testcase. > > I guess this change would open
a can of worms, e.g. when password > expiry is in effect. [...]

Content analysis details: (-4.2 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
trust
[194.106.223.201 listed in list.dnswl.org]
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
-0.0 SPF_PASS SPF: sender matches SPF record
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
Should be OK: it is not allowing authentication with an old password,
just not counting it against the lockout criteria. If one *has* to have
password lockout then I think something like this is essential to reduce
the risk of denial-of-service to legitimate users.

Andrew