On 22.03.2013 14:34, Emmanuel Lécharny wrote: > Le 3/22/13 2:25 PM, Kiran Ayyagari a écrit : >> Hi guys, >> >> We have an issue in the server where the admin (uid=admin,ou=system) >> account can get locked >> permanently based on the ppolicy configuration to lock accounts [1]. >> >> IMO we should allow all user and admin accounts to get locked >> permanently (again, based on the ppolicy config) >> except the system's built-in admin account (uid=admin,ou=system). This >> is just to prevent any abuse involving a >> regular admin account. > > Let me sum up : > - any user can be locked permanently > - admin users may also be locked permanently > - the super-admin cannot be locked permanently
If an attacker knows that super-admin account is not locked then that account is the natural choice for brute force attacks. Maybe we should distinguish between login/bind attempts from localhost and from remote? Kind Regards, Stefan
