On Fri, 2017-07-28 at 18:49 +0000, albert.luo@xxxxxxxxxxx wrote: > Hi, > > I am doing some experiements with account lockout password policy. The account is locked out after many wrong password tries. > > Then > If bind with correct password, the result is > #<OpenStruct extended_response=nil, code=19, error_message="Exceed password retry limit. Please try later.", matched_dn="", message="Constraint Violation"> > > if bind with wrong password, the result is > #<OpenStruct extended_response=nil, code=49, error_message="", matched_dn="", message="Invalid Credentials"> > > So attacker can still continue to try/guess different passwords until he get the result of : code=19, error_message="Exceed password retry limit. Please try later.". > When you say "account lockout" you are referring to the setting: dn: cn=config passwordMaxFailure: 4 passwordLockoutDuration: 600 Correct? If so this may be a security issue. Please confirm the settings you are referring to here, Thanks, -- Sincerely, William Brown Software Engineer Red Hat, Australia/Brisbane
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx