Bug 1476958

Summary: Locked account provides different return code if password is correct
Product: Red Hat Enterprise Linux 7 Reporter: wibrown <wibrown>
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED DUPLICATE QA Contact: Viktor Ashirov <vashirov>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.3CC: nkinder, rmeggins
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-24 17:22:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1477669    

Description wibrown@redhat.com 2017-08-01 00:05:34 UTC 
This bug is created as a clone of upstream ticket:
https://pagure.io/389-ds-base/issue/49336

The directory server password lockout policy prevents binds from operating once a threshold of failed passwords has been met. During this lockout, if you bind with a successful password, a different error code is returned. This means that an attacker has no ratelimit or penalty during an account lock, and can continue to attempt passwords via bruteforce. 

Proof of concept:

```
ldapwhoami -H ldap://localhost -x -D 'uid=testuser,dc=example,dc=com' -w
password
dn: uid=testuser,dc=example,dc=com
```

Bind with invalid credentials a number of times to trigger the lockout:

```
ldapwhoami -H ldap://localhost -x -D 'uid=testuser,dc=example,dc=com' -w
passworda
ldap_bind: Invalid credentials (49)
```

Then bind with valid crendentials while the lockout is in effect:

```
ldapwhoami -H ldap://localhost -x -D 'uid=testuser,dc=example,dc=com' -w
password 
ldap_bind: Constraint violation (19)
        additional info: Exceed password retry limit. Please try later.
```

Workaround: Use PBKDF2_SHA256 to delay the rate at which an attacker can attempt binds. Limit the number of threads allowed to anonymous.
Comment 3 Nathan Kinder 2017-08-24 17:22:26 UTC 

*** This bug has been marked as a duplicate of bug 1478045 ***