Add DoS protection for repeated LDAP authentication failures

[Copilot]

Implements rate-limiting in CLdapClient::authenticate to defend against DoS attacks via repeated failed authentication attempts.

Implementation

Tracking mechanism:

• std::map<string, vector<FailedAuthAttempt>> tracks failures per account with timestamps
• std::map<string, time_t> maintains blocked accounts with block start time
• CriticalSection ensures thread safety

Authentication flow changes:

1. Pre-auth: Check if account blocked → reject immediately with AS_ACCOUNT_LOCKED
2. Post-failure (rc != LDAP_SUCCESS): Record attempt, block if threshold exceeded
3. Post-success: Clear failure history for account

Memory management:

• Automatic cleanup every 100 authentications removes expired blocks and stale failures
• Failures outside time window pruned on each record

Configuration

Added LDAP config attributes with conservative defaults:

<LdapSecurity 
    authMaxFailedAttempts="5"      <!-- N: max failures allowed -->
    authFailureTimeWindow="300"    <!-- T: time window in seconds (5 min) -->
    authBlockDuration="900"        <!-- B: block duration in seconds (15 min) -->
/>

Example

After 5 failed attempts within 5 minutes:

WARNLOG: LDAP DoS Protection: Account 'user@domain' blocked for 900 seconds after 5 failed authentication attempts within 300 seconds

Subsequent attempts return immediately without LDAP server contact:

DBGLOG: LDAP DoS Protection: Authentication blocked for user 'user@domain' due to too many failed attempts

Notes

• Per-instance state (not shared across application instances)
• Block persists full duration even after successful auth elsewhere
• O(1) blocked account lookup, minimal performance impact

Original prompt

in system/security/LdapSecurity/ldapconnection.cpp in the CLdapClient::authenticate implement a strategy which defends against repeated failed authentication attempts (that can act like a DoS attack).

It autnetication fails (!= LDAP_SUCCESS) it should consider it as a potential DoS attack. When N have occured within a relatively short space (time T seconds) amount of time, the account should be blocked for B seconds.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.