On Sat, Mar 23, 2013 at 12:56 AM, Stefan Seelmann <mail@stefan-seelmann.de> wrote:
On 22.03.2013 14:34, Emmanuel Lécharny wrote:
> Le 3/22/13 2:25 PM, Kiran Ayyagari a écrit :
>> Hi guys,
>>
>>      We have an issue in the server where the admin (uid=admin,ou=system)
>> account can get locked
>>      permanently based on the ppolicy configuration to lock accounts [1].
>>
>>      IMO we should allow all user and admin accounts to get locked
>> permanently (again, based on the ppolicy config)
>>      except the system's built-in admin account (uid=admin,ou=system). This
>> is just to prevent any abuse involving a
>>      regular admin account.
>
> Let me sum up :
> - any user can be locked permanently
> - admin users may also be locked permanently
> - the super-admin cannot be locked permanently

If an attacker knows that super-admin account is not locked then that
account is the natural choice for brute force attacks. Maybe we should
distinguish between login/bind attempts from localhost and from remote?

the only mechanism that server has right now is to induce incremental delay(configurable in ppolicy)
after each failure between successive login attempts.
Kind Regards,
Stefan




--
Kiran Ayyagari
http://keydap.com