[unisog] AD and LDAP provider (account lockouts)

Michael Holstein michael.holstein at csuohio.edu
Wed Aug 1 13:27:34 GMT 2007


Let's say one has an application that does a test LDAP bind to 
authenticate a user to an external application.

LDAP is on Active Directory.

I've noticed that LDAP "password failures" do NOT increment the 
"Incorrect Attempt" counter in AD like ADSI/SMB attempts do.

How are others preventing "password grinding" against external webapps 
that use LDAP on the backend (where $backend is AD)?
Is there some simple registry hack that overcomes this (I checked all 
the security templates from Microsoft's "hardening" guidelines, and 
found no solace there).

(I've googled this extensively, and found no conclusive answer to this, 
other than to use a "normal" LDAP provider like SunOne, etc).

Thanks,

Michael Holstein
Cleveland State Unviersity


More information about the unisog mailing list