The directory server password lockout policy prevents binds from operating once a threshold of failed passwords has been met. If attacker during this lockout binds with the correct password, a different error code is returned. This means that attacker has no ratelimit or penalty during the account lock, and can continue to attempt passwords via bruteforce. Upstream bug: https://pagure.io/389-ds-base/issue/49336 Upstream patch: https://pagure.io/389-ds-base/c/33db32a3e14b849d
Created 389-ds-base tracking bugs for this issue: Affects: fedora-all [bug 1477674]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2569 https://access.redhat.com/errata/RHSA-2017:2569