under some kind of attack

Joseph Tam jtam.home at gmail.com
Mon Jul 24 05:51:58 EEST 2017


>> As per my post: checkpassword.  You can then use one password on Mondays,
>> Wednesdays, and Fridays, alternate passwords on Tuesdays and Thursday
>> fetched from a rot-13 database, and only from prime numbered IP addresses
>> on weekends, if that's what you want.
>
> Having read the wiki page on checkpassword, I am unsure how this would
> work with an ldap backend.
>
> Could you elaborate on that?

You are essentially writing your own backend by taking over
authentication.  You'll be accepting user/password inputs into your
checkpassword executable, then use the LDAP API (or some other system
that will do it for you) to authenticate.  (You can Google around for code
snippets.)  You'll have direct control over all aspects of authentication
(if/when/where/etc) that a generic backend can't provide.

You can choose do implement using shell/PERL/etc script, or compile
to executable from C sources.  It's more work, but if you need to do
everything on your wish list, I can't see any eaiser option.

One of the drawbacks is that a working password depends on both time
and source address, which will be adversely affect performance on a
busy server as authentication data cannot be cached.

Joseph Tam <jtam.home at gmail.com>


More information about the dovecot mailing list