A flaw was found in the way 389-ds-base handled authentication attempts against locked accounts. A remote attacker could potentially use this flaw to continue password brute-forcing attacks against LDAP accounts, thereby bypassing the protection offered by the directory server's password lockout policy.
The directory server password lockout policy prevents binds from operating once a threshold of failed passwords has been met. If attacker during this lockout binds with the correct password, a different error code is returned. This means that attacker has no ratelimit or penalty during the account lock, and can continue to attempt passwords via bruteforce.
Created 389-ds-base tracking bugs for this issue:
Affects: fedora-all [bug 1477674]
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2017:2569 https://access.redhat.com/errata/RHSA-2017:2569