[unisog] AD and LDAP provider (account lockouts)
michael.holstein at csuohio.edu
Wed Aug 1 13:27:34 GMT 2007
Let's say one has an application that does a test LDAP bind to
authenticate a user to an external application.
LDAP is on Active Directory.
I've noticed that LDAP "password failures" do NOT increment the
"Incorrect Attempt" counter in AD like ADSI/SMB attempts do.
How are others preventing "password grinding" against external webapps
that use LDAP on the backend (where $backend is AD)?
Is there some simple registry hack that overcomes this (I checked all
the security templates from Microsoft's "hardening" guidelines, and
found no solace there).
(I've googled this extensively, and found no conclusive answer to this,
other than to use a "normal" LDAP provider like SunOne, etc).
Cleveland State Unviersity
More information about the unisog