directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: [ApacheDS] preventing built-in admin account from getting locked permanently
Date Fri, 22 Mar 2013 19:34:19 GMT
On Sat, Mar 23, 2013 at 12:56 AM, Stefan Seelmann
<mail@stefan-seelmann.de>wrote:

> On 22.03.2013 14:34, Emmanuel Lécharny wrote:
> > Le 3/22/13 2:25 PM, Kiran Ayyagari a écrit :
> >> Hi guys,
> >>
> >>      We have an issue in the server where the admin
> (uid=admin,ou=system)
> >> account can get locked
> >>      permanently based on the ppolicy configuration to lock accounts
> [1].
> >>
> >>      IMO we should allow all user and admin accounts to get locked
> >> permanently (again, based on the ppolicy config)
> >>      except the system's built-in admin account (uid=admin,ou=system).
> This
> >> is just to prevent any abuse involving a
> >>      regular admin account.
> >
> > Let me sum up :
> > - any user can be locked permanently
> > - admin users may also be locked permanently
> > - the super-admin cannot be locked permanently
>
> If an attacker knows that super-admin account is not locked then that
> account is the natural choice for brute force attacks. Maybe we should
> distinguish between login/bind attempts from localhost and from remote?
>
> the only mechanism that server has right now is to induce incremental
delay(configurable in ppolicy)
after each failure between successive login attempts.

> Kind Regards,
> Stefan
>
>


-- 
Kiran Ayyagari
http://keydap.com

Mime
View raw message