You can prevent online password guessing attacks by using unpredictable identifiers for users.
If an attacker doesn’t know the name of the account, then it's another obstacle to overcome before they can authenticate as them.
An entry’s DN is the most common identifier used to authenticate, as it's
required for simple binds and is often used for SASL binds. For regular users, you
should name accounts with the entryUUID attribute. However, this isn't feasible for root
users or topology administrators because the configuration framework requires these
entries to use cn
as the naming attribute. Further, many SASL
mechanisms allow identifying users with a username, which is correlated to the
associated entry using an identity mapper, so using an unpredictable DN might not be
enough to sufficiently interfere with an attacker’s ability to target a server
administrator.
The best way to obscure identifiers for root users and topology administrators
is to choose unpredictable values for the cn
attribute in their
accounts and not include any predictable alternate bind DN values for those accounts.
Although it is be possible to use randomly generated cn
values, it
should be sufficient to use more memorable strings as long as they aren't something an
attacker is likely to guess even if they know the identities of those
administrators.