On Fri, 2017-07-28 at 18:49 +0000, [email protected] wrote: > Hi, > > I am doing some experiements with account lockout password policy. The > account is locked out after many wrong password tries. > > Then > If bind with correct password, the result is > #<OpenStruct extended_response=nil, code=19, error_message="Exceed password > retry limit. Please try later.", matched_dn="", message="Constraint > Violation"> > > if bind with wrong password, the result is > #<OpenStruct extended_response=nil, code=49, error_message="", matched_dn="", > message="Invalid Credentials"> > > So attacker can still continue to try/guess different passwords until he get > the result of : code=19, error_message="Exceed password retry limit. Please > try later.". >
When you say "account lockout" you are referring to the setting: dn: cn=config passwordMaxFailure: 4 passwordLockoutDuration: 600 Correct? If so this may be a security issue. Please confirm the settings you are referring to here, Thanks, -- Sincerely, William Brown Software Engineer Red Hat, Australia/Brisbane
signature.asc
Description: This is a digitally signed message part
_______________________________________________ 389-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
