If an account is locked due max no. of incorrect logins, krb5 server refuses auth for that user, but ldap accepts the user password.
# kinit kaushik kinit: Clients credentials have been revoked while getting initial credentials # ldapsearch -x -LLL -b "dc=testrelm,dc=com" -D "uid=kaushik,cn=users,cn=accounts,dc=testrelm,dc=com" -W Enter LDAP Password: dn: cn=compat,dc=testrelm,dc=com objectClass: extensibleObject cn: compat ...
There appear to be two bugs:
A copy-and-paste error related to admin unlock:
@@ -705,7 +705,7 @@ static int ipalockout_preop(Slapi_PBlock *pb) time_t unlock; memset(&tm, 0, sizeof(struct tm)); - res = sscanf(lastfail, + res = sscanf(unlock_time, "%04u%02u%02u%02u%02u%02u", &tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour, &tm.tm_min, &tm.tm_sec);
And an off-by-one error allowing LDAP one more bite at the apple:
&tm.tm_hour, &tm.tm_min, &tm.tm_sec); @@ -736,7 +736,7 @@ static int ipalockout_preop(Slapi_PBlock *pb) goto done; } - if (failedcount > max_fail) { + if (failedcount >= max_fail) { if (time_now < last_failed + lockout_duration) { /* Too many failures */ LOG_TRACE("Too many failed logins. %lu out of %d\n", failedcount, max_fail);
Additional testing is needed to confirm these are the only two problems.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=912725
Assigning to Rob as he already has the bits to fix this...
attachment freeipa-rcrit-1092-lockout.patch
Here's how I tested the patch:
(The effect of this error is that if an account was ever administratively unlocked, it is forever considered unlocked by the lockout plugin.)
$ ipa pwpolicy-mod --maxfail 1 $ ipa user-add testuser --first Test --last User # use password "password" $ ipa passwd testuser $ ldapsearch -H ldap://ipa.example.com -D 'uid=testuser,cn=users,cn=accounts,dc=example,dc=com' -w badpassword -b '' -s base >/dev/null ldap_bind: Invalid credentials (49) $ ipa user-unlock testuser $ ldapsearch -H ldap://ipa.example.com -D 'uid=testuser,cn=users,cn=accounts,dc=example,dc=com' -w badpassword -b '' -s base >/dev/null ldap_bind: Invalid credentials (49) $ ldapsearch -H ldap://ipa.example.com -D 'uid=testuser,cn=users,cn=accounts,dc=example,dc=com' -w badpassword -b '' -s base >/dev/null ldap_bind: Server is unwilling to perform (53) additional info: Too many failed logins. # this search won't fail without the fix $ ldapsearch -H ldap://ipa.example.com -D 'uid=testuser,cn=users,cn=accounts,dc=example,dc=com' -w password -b '' -s base >/dev/null ldap_bind: Server is unwilling to perform (53) additional info: Too many failed logins. $ ipa user-del testuser $ ipa pwpolicy-mod --maxfail 6
An off-by-one error where LDAP got one extra bind attempt.
$ ipa pwpolicy-mod --maxfail 1
$ ipa user-add testuser --first Test --last User
$ ipa passwd testuser
$ ldapsearch -H ldap://ipa.example.com -D 'uid=testuser,cn=users,cn=accounts,dc=example,dc=com' -w badpassword -b '' -s base >/dev/null ldap_bind: Invalid credentials (49)
$ ldapsearch -H ldap://ipa.example.com -D 'uid=testuser,cn=users,cn=accounts,dc=example,dc=com' -w password -b '' -s base >/dev/null ldap_bind: Server is unwilling to perform (53) additional info: Too many failed logins.
$ ipa user-del testuser
$ ipa pwpolicy-mod --maxfail 6
krbPwdPolicyReference wasn't being retrieved as a virtual attribute so only the global_policy was used.
$ ipa group-add testgroup --desc Test
$ ipa group-add-member testgroup --users testuser
$ ipa pwpolicy-add testgroup --maxlife 90 --minlife 1 --history 0 --minclasses 0 --minlength 8 --maxfail 6 --failinterval 60 --lockouttime 600 --priority 0
$ ldapsearch -H ldap://ipa.example.com -D 'uid=testuser,cn=users,cn=accounts,dc=example,dc=com' -w password -b '' -s base >/dev/null
$ ipa pwpolicy-del testgroup
$ ipa group-del testgroup
The lockout duration wasn't examined in the context of too many failed logins so was being applied properly.
(The effect of this error is that if the lockout duration is set to 0, all bind attempts fail with "entry permanently locked" error.)
$ ipa pwpolicy-mod --lockouttime 0 $ ipa user-add testuser --first Test --last User # use password "password" $ ipa passwd testuser # this search will fail without the fix $ ldapsearch -H ldap://ipa.example.com -D 'uid=testuser,cn=users,cn=accounts,dc=example,dc=com' -w password -b '' -s base >/dev/null $ ipa user-del testuser $ ipa pwpolicy-mod --lockouttime 600
master: 797baef
Metadata Update from @rcritten: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 3.2 - 2013/03
Login to comment on this ticket.