[unisog] AD and LDAP provider (account lockouts)

Stasiniewicz, Adam stasinia at msoe.edu
Sun Aug 5 03:39:28 GMT 2007

Hi Michael,

I have seen this bug before.  I know Microsoft has a hot fix for it.  But I
can't find it on their website.  The one workaround I know of is to use DNs
instead of UPNs as the username during the LDAP bind process (if your users
are in more than one container, then your apps will need to first do a
search for that user's DN).  Otherwise, you can call PSS and they should be
able to give you the hot fix.

Adam Stasiniewicz

-----Original Message-----
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of Michael Holstein
Sent: Wednesday, August 01, 2007 8:28 AM
To: UNIversity Security Operations Group
Subject: [unisog] AD and LDAP provider (account lockouts)

Let's say one has an application that does a test LDAP bind to 
authenticate a user to an external application.

LDAP is on Active Directory.

I've noticed that LDAP "password failures" do NOT increment the 
"Incorrect Attempt" counter in AD like ADSI/SMB attempts do.

How are others preventing "password grinding" against external webapps 
that use LDAP on the backend (where $backend is AD)?
Is there some simple registry hack that overcomes this (I checked all 
the security templates from Microsoft's "hardening" guidelines, and 
found no solace there).

(I've googled this extensively, and found no conclusive answer to this, 
other than to use a "normal" LDAP provider like SunOne, etc).


Michael Holstein
Cleveland State Unviersity
unisog mailing list
unisog at lists.dshield.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3192 bytes
Desc: not available
Url : http://lists.sans.org/pipermail/unisog/attachments/20070804/f7112d85/attachment.bin 

More information about the unisog mailing list