directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Seelmann <m...@stefan-seelmann.de>
Subject Re: [ApacheDS] preventing built-in admin account from getting locked permanently
Date Fri, 22 Mar 2013 19:26:01 GMT
On 22.03.2013 14:34, Emmanuel Lécharny wrote:
> Le 3/22/13 2:25 PM, Kiran Ayyagari a écrit :
>> Hi guys,
>>
>>      We have an issue in the server where the admin (uid=admin,ou=system)
>> account can get locked
>>      permanently based on the ppolicy configuration to lock accounts [1].
>>
>>      IMO we should allow all user and admin accounts to get locked
>> permanently (again, based on the ppolicy config)
>>      except the system's built-in admin account (uid=admin,ou=system). This
>> is just to prevent any abuse involving a
>>      regular admin account.
> 
> Let me sum up :
> - any user can be locked permanently
> - admin users may also be locked permanently
> - the super-admin cannot be locked permanently

If an attacker knows that super-admin account is not locked then that
account is the natural choice for brute force attacks. Maybe we should
distinguish between login/bind attempts from localhost and from remote?

Kind Regards,
Stefan


Mime
View raw message