RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1476958 - Locked account provides different return code if password is correct
Summary: Locked account provides different return code if password is correct
Keywords:
Status: CLOSED DUPLICATE of bug 1478045
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.3
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: mreynolds
QA Contact: Viktor Ashirov
URL:
Whiteboard:
Depends On:
Blocks: CVE-2017-7551
TreeView+ depends on / blocked
 
Reported: 2017-08-01 00:05 UTC by wibrown@redhat.com
Modified: 2017-08-24 17:22 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-24 17:22:26 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description wibrown@redhat.com 2017-08-01 00:05:34 UTC 
This bug is created as a clone of upstream ticket:
https://pagure.io/389-ds-base/issue/49336

The directory server password lockout policy prevents binds from operating once a threshold of failed passwords has been met. During this lockout, if you bind with a successful password, a different error code is returned. This means that an attacker has no ratelimit or penalty during an account lock, and can continue to attempt passwords via bruteforce. 

Proof of concept:

```
ldapwhoami -H ldap://localhost -x -D 'uid=testuser,dc=example,dc=com' -w
password
dn: uid=testuser,dc=example,dc=com
```

Bind with invalid credentials a number of times to trigger the lockout:

```
ldapwhoami -H ldap://localhost -x -D 'uid=testuser,dc=example,dc=com' -w
passworda
ldap_bind: Invalid credentials (49)
```

Then bind with valid crendentials while the lockout is in effect:

```
ldapwhoami -H ldap://localhost -x -D 'uid=testuser,dc=example,dc=com' -w
password 
ldap_bind: Constraint violation (19)
        additional info: Exceed password retry limit. Please try later.
```

Workaround: Use PBKDF2_SHA256 to delay the rate at which an attacker can attempt binds. Limit the number of threads allowed to anonymous.
Comment 3 Nathan Kinder 2017-08-24 17:22:26 UTC 

*** This bug has been marked as a duplicate of bug 1478045 ***
Note You need to log in before you can comment on or make changes to this bug.