#dominoforever | Product Ideas Portal

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

Add security policy for domino ldap

For AD ldap which provide the security policy is set to lock out a user after five invalid login attempts, but there is no this feature for domino ldap.
Customer provided the domino ldap for the third party software to access, if no this feature, it is not safe, please consider to add this feature on the higher version.
  • Guest
  • Aug 29 2019
  • Shipped
  • Attach files
  • Guest commented
    10 Jan, 2020 05:54pm

    This came in thru a fix and nobody really did know about it.

    I R5 this was introduced for HTTP only. And they didn't want to change it.

    At some point someone did a fix for an issue and moved the check to a different part of the code and that made it available for all internet protocols!

    This was never fully documented as a feature. But it has been in Domino for a while.

    You have to be careful! If you have for example an external server like Sametime (earlier times we had this with Qickr) who needed an LDAP user. Having someone create multiple wrong password requests, your other service will suffer from that. It's a type of DoS attack!

    I would wish we could be more flexible in the way this is handled. But it is difficult!

    There are other ways to protect. There are approaches like fail2ban which block IP addresses with more than a certain number of wrong password requests.

    I wrote a free fail2ban rule-set for Domino on Linux which ships with my start script.

    See my blog post for details


    And I have also written more complex solution for remote NGINX support with X-FORWARD-FOR support. That's something which needs specific implementation per customer environment and doesn't make sense for a standard product.

    But what would make sense is a blocking by number of wrong logins by IP.

    [ Daniel Nashed / http://blog.nashcom.de ]

  • Admin
    Thomas Hampel commented
    10 Jan, 2020 05:25pm