On Sat, Mar 23, 2013 at 12:56 AM, Stefan Seelmann <[email protected]>wrote:
> On 22.03.2013 14:34, Emmanuel Lécharny wrote: > > Le 3/22/13 2:25 PM, Kiran Ayyagari a écrit : > >> Hi guys, > >> > >> We have an issue in the server where the admin > (uid=admin,ou=system) > >> account can get locked > >> permanently based on the ppolicy configuration to lock accounts > [1]. > >> > >> IMO we should allow all user and admin accounts to get locked > >> permanently (again, based on the ppolicy config) > >> except the system's built-in admin account (uid=admin,ou=system). > This > >> is just to prevent any abuse involving a > >> regular admin account. > > > > Let me sum up : > > - any user can be locked permanently > > - admin users may also be locked permanently > > - the super-admin cannot be locked permanently > > If an attacker knows that super-admin account is not locked then that > account is the natural choice for brute force attacks. Maybe we should > distinguish between login/bind attempts from localhost and from remote? > > the only mechanism that server has right now is to induce incremental delay(configurable in ppolicy) after each failure between successive login attempts. > Kind Regards, > Stefan > > -- Kiran Ayyagari http://keydap.com
