freeipa

Clone
Source Code
GIT

#3433 LDAP account lockout inconsistency
Closed: Fixed None Opened 11 years ago by rcritten.

Closed: Fixed
Reopen Issue

If an account is locked due max no. of incorrect logins, krb5 server refuses auth for that user, but ldap accepts the user password.

# kinit kaushik
kinit: Clients credentials have been revoked while getting initial
credentials

# ldapsearch -x -LLL -b "dc=testrelm,dc=com" -D
"uid=kaushik,cn=users,cn=accounts,dc=testrelm,dc=com" -W
Enter LDAP Password:
dn: cn=compat,dc=testrelm,dc=com
objectClass: extensibleObject
cn: compat
...

There appear to be two bugs:

A copy-and-paste error related to admin unlock:

@@ -705,7 +705,7 @@ static int ipalockout_preop(Slapi_PBlock *pb)
              time_t unlock;

              memset(&tm, 0, sizeof(struct tm));
-            res = sscanf(lastfail,
+            res = sscanf(unlock_time,
                           "%04u%02u%02u%02u%02u%02u",
                           &tm.tm_year, &tm.tm_mon, &tm.tm_mday,
                           &tm.tm_hour, &tm.tm_min, &tm.tm_sec);

And an off-by-one error allowing LDAP one more bite at the apple:

                           &tm.tm_hour, &tm.tm_min, &tm.tm_sec);
@@ -736,7 +736,7 @@ static int ipalockout_preop(Slapi_PBlock *pb)
          goto done;
      }

-    if (failedcount > max_fail) {
+    if (failedcount >= max_fail) {
          if (time_now < last_failed + lockout_duration) {
              /* Too many failures */
              LOG_TRACE("Too many failed logins. %lu out of %d\n", 
failedcount, max_fail);

Additional testing is needed to confirm these are the only two problems.

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=912725

Assigning to Rob as he already has the bits to fix this...

Here's how I tested the patch:

  • A cut-n-paste error where the wrong value was being considered when an account was administratively unlocked.

(The effect of this error is that if an account was ever administratively unlocked, it is forever considered unlocked by the lockout plugin.)

$ ipa pwpolicy-mod --maxfail 1

$ ipa user-add testuser --first Test --last User

# use password "password"
$ ipa passwd testuser

$ ldapsearch -H ldap://ipa.example.com -D 'uid=testuser,cn=users,cn=accounts,dc=example,dc=com' -w badpassword -b '' -s base >/dev/null
ldap_bind: Invalid credentials (49)

$ ipa user-unlock testuser

$ ldapsearch -H ldap://ipa.example.com -D 'uid=testuser,cn=users,cn=accounts,dc=example,dc=com' -w badpassword -b '' -s base >/dev/null
ldap_bind: Invalid credentials (49)

$ ldapsearch -H ldap://ipa.example.com -D 'uid=testuser,cn=users,cn=accounts,dc=example,dc=com' -w badpassword -b '' -s base >/dev/null
ldap_bind: Server is unwilling to perform (53)
        additional info: Too many failed logins.


# this search won't fail without the fix
$ ldapsearch -H ldap://ipa.example.com -D 'uid=testuser,cn=users,cn=accounts,dc=example,dc=com' -w password -b '' -s base >/dev/null
ldap_bind: Server is unwilling to perform (53)
        additional info: Too many failed logins.


$ ipa user-del testuser

$ ipa pwpolicy-mod --maxfail 6

  • An off-by-one error where LDAP got one extra bind attempt.

    $ ipa pwpolicy-mod --maxfail 1

    $ ipa user-add testuser --first Test --last User

    use password "password"

    $ ipa passwd testuser

    $ ldapsearch -H ldap://ipa.example.com -D 'uid=testuser,cn=users,cn=accounts,dc=example,dc=com' -w badpassword -b '' -s base >/dev/null
    ldap_bind: Invalid credentials (49)

    this search won't fail without the fix

    $ ldapsearch -H ldap://ipa.example.com -D 'uid=testuser,cn=users,cn=accounts,dc=example,dc=com' -w password -b '' -s base >/dev/null
    ldap_bind: Server is unwilling to perform (53)
    additional info: Too many failed logins.

    $ ipa user-del testuser

    $ ipa pwpolicy-mod --maxfail 6

  • krbPwdPolicyReference wasn't being retrieved as a virtual attribute so only the global_policy was used.

    $ ipa pwpolicy-mod --maxfail 1

    $ ipa user-add testuser --first Test --last User

    user password "password"

    $ ipa passwd testuser

    $ ipa group-add testgroup --desc Test

    $ ipa group-add-member testgroup --users testuser

    $ ipa pwpolicy-add testgroup --maxlife 90 --minlife 1 --history 0 --minclasses 0 --minlength 8 --maxfail 6 --failinterval 60 --lockouttime 600 --priority 0

    $ ldapsearch -H ldap://ipa.example.com -D 'uid=testuser,cn=users,cn=accounts,dc=example,dc=com' -w badpassword -b '' -s base >/dev/null
    ldap_bind: Invalid credentials (49)

    $ ldapsearch -H ldap://ipa.example.com -D 'uid=testuser,cn=users,cn=accounts,dc=example,dc=com' -w badpassword -b '' -s base >/dev/null
    ldap_bind: Invalid credentials (49)

    this search will fail without the fix

    $ ldapsearch -H ldap://ipa.example.com -D 'uid=testuser,cn=users,cn=accounts,dc=example,dc=com' -w password -b '' -s base >/dev/null

    $ ipa pwpolicy-del testgroup

    $ ipa group-del testgroup

    $ ipa user-del testuser

    $ ipa pwpolicy-mod --maxfail 6

  • The lockout duration wasn't examined in the context of too many failed logins so was being applied properly.

(The effect of this error is that if the lockout duration is set to 0, all bind attempts fail with "entry permanently locked" error.)

$ ipa pwpolicy-mod --lockouttime 0

$ ipa user-add testuser --first Test --last User

# use password "password"
$ ipa passwd testuser

# this search will fail without the fix
$ ldapsearch -H ldap://ipa.example.com -D 'uid=testuser,cn=users,cn=accounts,dc=example,dc=com' -w password -b '' -s base >/dev/null

$ ipa user-del testuser

$ ipa pwpolicy-mod --lockouttime 600

master: 797baef

Metadata Update from @rcritten:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 3.2 - 2013/03
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
important
None
None
None
None
defect
None
None
IPA
None
1
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=912725
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.