Feature request: negative cache for failed authentication attempts

Paolo Cravero paolo.cravero at csi.it
Tue Sep 8 11:03:33 EDT 2015


Hello.

I have a feature request for saslauthd. Would it be possible to include a
cache of negative authentication attemps? Eventually with a timeout value
different from successfull authentications.

Use case. One central LDAP repository with users having a single
user/password for many applications. Password potentially can be changed
through more than one interface. One of the applications is email
(cyrus-based ;-) ), that users access both via client/webmail and smartphone
(either IMAP direct or through some sort of sync integrated with the webmail
suite). For security reasons and law compliance, accounts have a lockout
policy (after X failed attempts no further BINDs are successfull for an
amount of time).

In the typical situation the average user forgets to update the password on
the smartphone, which in turn is set to check for updates every 10-15-30
minutes. While the user is away (lunch, commuting, meeting, weekend, ...)
the smartphone keeps trying with the old password and the account gets
locked for all applications authenticating on that LDAP base.

LDAP implementations do not seem to allow a selective lockout, say, based on
the uid+IP rather than just the userid. At least I couldn't find a reference
on RHDS10 documentation.

The way I phrased my request, a brute force attack will equally lockout the
user since the login/password pair will be different at each attempt and
therefore not hit the negative cache. But a brute force should be noticed
and the user warned about it too.

Therefore my feature request: keep a cache of failed attempts instead of
passing them all downstream to the user database.

Paolo


More information about the Cyrus-sasl mailing list