#49336 Locked account provides different return code if password is correct
Closed: wontfix 6 years ago Opened 6 years ago by firstyear.

The directory server password lockout policy prevents binds from operating once a threshold of failed passwords has been met. During this lockout, if you bind with a successful password, a different error code is returned. This means that an attacker has no ratelimit or penalty during an account lock, and can continue to attempt passwords via bruteforce.

Proof of concept:

ldapwhoami -H ldap://localhost -x -D 'uid=testuser,dc=example,dc=com' -w
password
dn: uid=testuser,dc=example,dc=com

Bind with invalid credentials a number of times to trigger the lockout:

ldapwhoami -H ldap://localhost -x -D 'uid=testuser,dc=example,dc=com' -w
passworda
ldap_bind: Invalid credentials (49)

Then bind with valid crendentials while the lockout is in effect:

ldapwhoami -H ldap://localhost -x -D 'uid=testuser,dc=example,dc=com' -w
password 
ldap_bind: Constraint violation (19)
        additional info: Exceed password retry limit. Please try later.

Workaround: Use PBKDF2_SHA256 to delay the rate at which an attacker can attempt binds. Limit the number of threads allowed to anonymous.


Metadata Update from @firstyear:
- Custom field component adjusted to None
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None
- Custom field type adjusted to None
- Custom field version adjusted to None

6 years ago

Metadata Update from @firstyear:
- Issue assigned to firstyear
- Issue priority set to: critical
- Issue tagged with: Security

6 years ago

Metadata Update from @firstyear:
- Custom field reviewstatus adjusted to review (was: None)

6 years ago

The patch looks good to me. Ack

Metadata Update from @tbordaz:
- Custom field reviewstatus adjusted to ack (was: review)

6 years ago

commit 33db32a
To ssh://git@pagure.io/389-ds-base.git
58c4f95..33db32a master -> master

Metadata Update from @firstyear:
- Custom field reviewstatus adjusted to review (was: ack)

6 years ago

I'll need some help testing this one from @vashirov or @spichugi as I have some issues with the 1.2.x env setup :(
Test passed for the scratch build:
https://vashirov.fedorapeople.org/share/report-1.2.11.15-92.html

Thanks @vashirov you are a legend.

@tbordaz can you check the backports? Are you okay for me to add these to the listed versions?

Ack on the 1.3.5 & 1.3.6 backport (we need to get the 1.3.6 patch pushed ASAP). And I'm not sure we need to 1.2.11 patch.

Pushed the 1.3.6 patch:

c903f66..95b39e2 389-ds-base-1.3.6 -> 389-ds-base-1.3.6

Thanks @mreynolds I'll push the 1.3.5 and master patches now.

commit 4cce166
To ssh://git@pagure.io/389-ds-base.git
faaa62c..4cce166 389-ds-base-1.3.5 -> 389-ds-base-1.3.5

Metadata Update from @firstyear:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

6 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/2395

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: fixed)

3 years ago

Log in to comment on this ticket.

Metadata