-
Notifications
You must be signed in to change notification settings - Fork 1
/
slapo-explockout.5
132 lines (115 loc) · 3.12 KB
/
slapo-explockout.5
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
.TH SLAPO-EXPLOCKOUT 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.\" Copyright 2018 David Coutadeur, All Rights Reserved.
.\" $OpenLDAP$
.SH NAME
slapo-explockout \- explockout overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
The
.B explockout
overlay to
.BR slapd (8)
requires the user to wait for an exponential time before he can authenticate again.
The overlay deeply relies on the
.B pwdFailureTime
attribute of the ppolicy.
Then, the administrator should set the ppolicy accordingly, especialy:
.TS
tab (@);
l lx.
@T{
.B pwdFailureCountInterval
number of seconds before the failed attemps are dropped
T}
@T{
.B pwdLockout
activation of the lockout failure
T}
@T{
.B pwdMaxFailure
number of authorized failed authentication attempts
T}
@T{
.B pwdLockoutDuration
number of seconds the password cannot be used after too many failed authentications
T}
@T{
.B pwdMaxRecordedFailure
maximum number of attributes pwdFailureTime stored in the user entry
T}
.TE
.SH CONFIGURATION
The config directives that are specific to the
.B explockout
overlay must be prefixed by
.BR explockout\- ,
to avoid potential conflicts with directives specific to the underlying
database or to other stacked overlays.
.B Important:
The overlay must be called before ppolicy, else the ppolicy is going to change pwdFailureTime before explockout can deny authentication.
.TP
.B overlay explockout
This directive adds the
.B explockout
overlay to the current database, see
.BR slapd.conf (5)
for details.
.LP
This
.B slapd.conf
configuration option is defined for the explockout overlay. It must
appear after the
.B overlay
directive:
.TP
.B explockout-basetime <seconds>
The value
.B <seconds>
is the base time used to compute the waiting time.
waiting time = (base time) ^ (number of pwdFailureTime)
Constraint: 1 < basetime < 10
.TP
.B explockout-maxtime <seconds>
Whatever waiting time is computed, it cannot exceed explockout-maxtime.
if (base time) ^ (number of pwdFailureTime) > max time
waiting time = max time
.SH EXAMPLE
This example configures the
.B explockout
overlay to wait for 3 ^ (number of pwdFailureTime) seconds
before the user can authenticate again after failed attempts.
The user should not wait for more than 15 minutes (900 s).
Add the following to
.BR slapd.conf (5):
.LP
.nf
modulepath /path/to/openldap/modules
moduleload explockout.la
# ...
database <database>
# ...
overlay explockout
explockout-basetime 3
explockout-maxtime 900
overlay ppolicy
.fi
.LP
.SH LIMITATIONS
.TP
The overlay works in conjunction with the ppolicy overlay. As a consequence, when the authentication is still locked by explockout, a new authentication, even if valid, will result in a new pwdFailureTime. In other words, new authentications (even valid ones) to a locked acccount are going to increment the time to wait.
.SH FILES
.TP
ETCDIR/slapd.conf
default slapd configuration file
.SH SEE ALSO
.BR slapd.conf (5),
.BR slapd (8).
The
.BR slapo-explockout (5)
overlay supports dynamic configuration via
.BR back-config.
.SH ACKNOWLEDGEMENTS
.P
This module was written in 2018 by David Coutadeur. It is loosely
derived from the lastbind overlay.