You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by Kiran Ayyagari <ka...@apache.org> on 2013/03/22 14:25:40 UTC
[ApacheDS] preventing built-in admin account from getting locked permanently
Hi guys,
We have an issue in the server where the admin (uid=admin,ou=system)
account can get locked
permanently based on the ppolicy configuration to lock accounts [1].
IMO we should allow all user and admin accounts to get locked
permanently (again, based on the ppolicy config)
except the system's built-in admin account (uid=admin,ou=system). This
is just to prevent any abuse involving a
regular admin account.
Please suggest if you have any other opinions or suggestions based on
the operations perspective in a production environment.
[1] https://issues.apache.org/jira/browse/DIRSERVER-1812
--
Kiran Ayyagari
http://keydap.com
Re: [ApacheDS] preventing built-in admin account from getting locked permanently
Posted by Kiran Ayyagari <ka...@apache.org>.
On Sat, Mar 23, 2013 at 12:56 AM, Stefan Seelmann
<ma...@stefan-seelmann.de>wrote:
> On 22.03.2013 14:34, Emmanuel Lécharny wrote:
> > Le 3/22/13 2:25 PM, Kiran Ayyagari a écrit :
> >> Hi guys,
> >>
> >> We have an issue in the server where the admin
> (uid=admin,ou=system)
> >> account can get locked
> >> permanently based on the ppolicy configuration to lock accounts
> [1].
> >>
> >> IMO we should allow all user and admin accounts to get locked
> >> permanently (again, based on the ppolicy config)
> >> except the system's built-in admin account (uid=admin,ou=system).
> This
> >> is just to prevent any abuse involving a
> >> regular admin account.
> >
> > Let me sum up :
> > - any user can be locked permanently
> > - admin users may also be locked permanently
> > - the super-admin cannot be locked permanently
>
> If an attacker knows that super-admin account is not locked then that
> account is the natural choice for brute force attacks. Maybe we should
> distinguish between login/bind attempts from localhost and from remote?
>
> the only mechanism that server has right now is to induce incremental
delay(configurable in ppolicy)
after each failure between successive login attempts.
> Kind Regards,
> Stefan
>
>
--
Kiran Ayyagari
http://keydap.com
Re: [ApacheDS] preventing built-in admin account from getting locked
permanently
Posted by Stefan Seelmann <ma...@stefan-seelmann.de>.
On 22.03.2013 14:34, Emmanuel Lécharny wrote:
> Le 3/22/13 2:25 PM, Kiran Ayyagari a écrit :
>> Hi guys,
>>
>> We have an issue in the server where the admin (uid=admin,ou=system)
>> account can get locked
>> permanently based on the ppolicy configuration to lock accounts [1].
>>
>> IMO we should allow all user and admin accounts to get locked
>> permanently (again, based on the ppolicy config)
>> except the system's built-in admin account (uid=admin,ou=system). This
>> is just to prevent any abuse involving a
>> regular admin account.
>
> Let me sum up :
> - any user can be locked permanently
> - admin users may also be locked permanently
> - the super-admin cannot be locked permanently
If an attacker knows that super-admin account is not locked then that
account is the natural choice for brute force attacks. Maybe we should
distinguish between login/bind attempts from localhost and from remote?
Kind Regards,
Stefan
Re: [ApacheDS] preventing built-in admin account from getting locked permanently
Posted by Kiran Ayyagari <ka...@apache.org>.
On Fri, Mar 22, 2013 at 7:10 PM, Pierre-Arnaud Marcelot <pa...@marcelot.net>wrote:
>
> On 22 mars 2013, at 14:34, Emmanuel Lécharny <el...@gmail.com> wrote:
>
> > Le 3/22/13 2:25 PM, Kiran Ayyagari a écrit :
> >> Hi guys,
> >>
> >> We have an issue in the server where the admin (uid=admin,ou=system)
> >> account can get locked
> >> permanently based on the ppolicy configuration to lock accounts [1].
> >>
> >> IMO we should allow all user and admin accounts to get locked
> >> permanently (again, based on the ppolicy config)
> >> except the system's built-in admin account (uid=admin,ou=system).
> This
> >> is just to prevent any abuse involving a
> >> regular admin account.
> >
> > Let me sum up :
> > - any user can be locked permanently
> > - admin users may also be locked permanently
> > - the super-admin cannot be locked permanently
> >
> > correct ? (If so, my +1)
>
> My +1 too, if that's the case.
>
> > That raises another question here (see [2]) :
> >
> > - assuming that [2] is solved, the super admin can unlock all the users
> > *and* all the admins ?
> > - a 'normal' admin can only lock users, not admins ?
> >
> > PS : admins are the account present in the administrators branch atm.
> > Won't it make sense to get rid of such a distinction, and to uses ACI
> > instead ?
>
> IMO, admins should be able to unlock admins as well.
> I'd expect it to work that way as a user, personally.
>
> +1, good idea
>
> I see the exception we would make on making the lock of the super-admin
> impossible, more of a preventing measure to have at least one non-locked
> bindable user that can unlock others.
>
>
> Regards,
> Pierre-Arnaud
>
>
>
> >
> >> [1] https://issues.apache.org/jira/browse/DIRSERVER-1812
> >
> > [2] https://issues.apache.org/jira/browse/DIRSERVER-1813
> >
> >
> >>
> >
> >
> > --
> > Regards,
> > Cordialement,
> > Emmanuel Lécharny
> > www.iktek.com
> >
>
>
--
Kiran Ayyagari
http://keydap.com
Re: [ApacheDS] preventing built-in admin account from getting locked permanently
Posted by Pierre-Arnaud Marcelot <pa...@marcelot.net>.
On 22 mars 2013, at 14:34, Emmanuel Lécharny <el...@gmail.com> wrote:
> Le 3/22/13 2:25 PM, Kiran Ayyagari a écrit :
>> Hi guys,
>>
>> We have an issue in the server where the admin (uid=admin,ou=system)
>> account can get locked
>> permanently based on the ppolicy configuration to lock accounts [1].
>>
>> IMO we should allow all user and admin accounts to get locked
>> permanently (again, based on the ppolicy config)
>> except the system's built-in admin account (uid=admin,ou=system). This
>> is just to prevent any abuse involving a
>> regular admin account.
>
> Let me sum up :
> - any user can be locked permanently
> - admin users may also be locked permanently
> - the super-admin cannot be locked permanently
>
> correct ? (If so, my +1)
My +1 too, if that's the case.
> That raises another question here (see [2]) :
>
> - assuming that [2] is solved, the super admin can unlock all the users
> *and* all the admins ?
> - a 'normal' admin can only lock users, not admins ?
>
> PS : admins are the account present in the administrators branch atm.
> Won't it make sense to get rid of such a distinction, and to uses ACI
> instead ?
IMO, admins should be able to unlock admins as well.
I'd expect it to work that way as a user, personally.
I see the exception we would make on making the lock of the super-admin impossible, more of a preventing measure to have at least one non-locked bindable user that can unlock others.
Regards,
Pierre-Arnaud
>
>> [1] https://issues.apache.org/jira/browse/DIRSERVER-1812
>
> [2] https://issues.apache.org/jira/browse/DIRSERVER-1813
>
>
>>
>
>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
Re: [ApacheDS] preventing built-in admin account from getting locked permanently
Posted by Kiran Ayyagari <ka...@apache.org>.
On Fri, Mar 22, 2013 at 7:04 PM, Emmanuel Lécharny <el...@gmail.com>wrote:
> Le 3/22/13 2:25 PM, Kiran Ayyagari a écrit :
> > Hi guys,
> >
> > We have an issue in the server where the admin (uid=admin,ou=system)
> > account can get locked
> > permanently based on the ppolicy configuration to lock accounts [1].
> >
> > IMO we should allow all user and admin accounts to get locked
> > permanently (again, based on the ppolicy config)
> > except the system's built-in admin account (uid=admin,ou=system).
> This
> > is just to prevent any abuse involving a
> > regular admin account.
>
> Let me sum up :
> - any user can be locked permanently
> - admin users may also be locked permanently
> - the super-admin cannot be locked permanently
>
> correct ? (If so, my +1)
>
> yes
> That raises another question here (see [2]) :
>
> - assuming that [2] is solved, the super admin can unlock all the users
> *and* all the admins ?
>
yes
> - a 'normal' admin can only lock users, not admins ?
>
> yes
> PS : admins are the account present in the administrators branch atm.
> Won't it make sense to get rid of such a distinction, and to uses ACI
> instead ?
>
> +1 , we have to fix DefaultCoreSession's isAnAdministrator() method for
this
> [1] https://issues.apache.org/jira/browse/DIRSERVER-1812
>
> [2] https://issues.apache.org/jira/browse/DIRSERVER-1813
>
>
> >
>
>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
>
--
Kiran Ayyagari
http://keydap.com
Re: [ApacheDS] preventing built-in admin account from getting locked
permanently
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 3/22/13 2:25 PM, Kiran Ayyagari a écrit :
> Hi guys,
>
> We have an issue in the server where the admin (uid=admin,ou=system)
> account can get locked
> permanently based on the ppolicy configuration to lock accounts [1].
>
> IMO we should allow all user and admin accounts to get locked
> permanently (again, based on the ppolicy config)
> except the system's built-in admin account (uid=admin,ou=system). This
> is just to prevent any abuse involving a
> regular admin account.
Let me sum up :
- any user can be locked permanently
- admin users may also be locked permanently
- the super-admin cannot be locked permanently
correct ? (If so, my +1)
That raises another question here (see [2]) :
- assuming that [2] is solved, the super admin can unlock all the users
*and* all the admins ?
- a 'normal' admin can only lock users, not admins ?
PS : admins are the account present in the administrators branch atm.
Won't it make sense to get rid of such a distinction, and to uses ACI
instead ?
> [1] https://issues.apache.org/jira/browse/DIRSERVER-1812
[2] https://issues.apache.org/jira/browse/DIRSERVER-1813
>
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com