[Freeipa-devel] [PATCH] 1092 Fix LDAP lockout plugin
Martin Kosek
mkosek at redhat.com
Mon Mar 18 12:43:27 UTC 2013
On 03/15/2013 04:42 PM, Rob Crittenden wrote:
> Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On 03/11/2013 10:07 PM, Rob Crittenden wrote:
>>>> Fixed a number of issues applying password policy against LDAP binds.
>>>> See patch
>>>> for details.
>>>>
>>>> rob
>>>>
>>>
>>> I see some issues with this fix:
>>>
>>> 1) Shouldn't group password policy serve only as an override to the main
>>> policy? I.e. if I have this policy:
>>>
>>> # ipa pwpolicy-show test
>>> Group: test
>>> Priority: 10
>>> Max failures: 2
>>>
>>> We should still follow settings other than "Max failures" configured in
>>> global policy, right? At least the Kerberos seem to do it. I think we
>>> should be consistent in this case. Now, other values just seem to be
>>> zero.
>>
>> There should be only one policy. It isn't supposed to merge policies
>> together (there is only one krbPwdPolicyReference per principal).
That's a good point.
>>
>> How is the KDC acting differently?
For example, if you set only maximal number of bad password guesses, it does
not allow any more (user fbar1 is a member of test group):
# ipa pwpolicy-mod test --maxfail 3
Group: test
Priority: 10
Max failures: 3
# kinit fbar1
Password for fbar1 at IDM.LAB.BOS.REDHAT.COM:
kinit: Password incorrect while getting initial credentials
# kinit fbar1
Password for fbar1 at IDM.LAB.BOS.REDHAT.COM:
kinit: Password incorrect while getting initial credentials
# kinit fbar1
Password for fbar1 at IDM.LAB.BOS.REDHAT.COM:
kinit: Password incorrect while getting initial credentials
# kinit fbar1
kinit: Clients credentials have been revoked while getting initial credentials
But LDAP binds are still allowed
# ldapsearch -h localhost -D
uid=fbar1,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com -x -w foo
-s base -b ""
ldap_bind: Invalid credentials (49)
I think this is just caused by different processing of
krbpwdfailurecountinterval in ipa-kdb and in bind preop (when it is not set,
max auth tries checks are pretty much disabled).
>>
>>> I think we will need to fix both the pre-op and the post-op to make this
>>> working really consistently.
>>>
>>> 2) The lockout post-op still counts failed logins even though we are in
>>> lockout time, is this expected? It is another point if inconsistency
>>> with Kerberos auth. It leaves user's krbloginfailedcount stay on "Max
>>> failures".
>>
>> Ok.
>>
>>>
>>> 3) Sometimes, I get into a state when I lockout a new user with Kerberos
>>> and then wait some time until the lockout time passes (no admin unlock),
>>> I am able to run as many LDAP binds as I want.
>>
>> Can you clarify? Successful or unsuccessful binds?
Unsuccessful binds. I will try to reproduce it again when you fix the crash, it
is hard to investigate it with this crash around.
>>
>>> This is all I found so far. Honza is also reviewing it, so I will let
>>> him post hist findings too.
>>>
>>> Martin
>
> Here is an updated patch to not increment past the max failures on LDAP binds.
The new patch now causes 389-ds to crash with SIGSEGV if I try to bind as a
user with no group policy assigned (Stacktrace attached).
Martin
>
> I couldn't reproduce your 3rd point.
>
> rob
>
-------------- next part --------------
Thread 1 (Thread 0x7fdde4ff9700 (LWP 7617)):
#0 __strlen_sse2 () at ../sysdeps/x86_64/strlen.S:31
No locals.
#1 0x00007fddfe4b15bc in slapi_mods_add_string (smods=0x7fddc8001c70, modtype=modtype at entry=1, type=type at entry=0x7fddf4b9cf21 "krbLastFailedAuth", val=0x0) at ldap/servers/slapd/modutil.c:370
No locals.
#2 0x00007fddf4b9c833 in ipalockout_postop (pb=0x1cad1b0) at ipa_lockout.c:544
dn = 0x7fddc8000dd0 "uid=fbar1b,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com"
policy_dn = 0x7fddc8005390 "cn=test,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com"
target_entry = 0x7fddc8008620
policy_entry = 0x7fddc80026e0
sdn = 0x7fddc80018c0
pbtm = 0x0
smods = 0x0
objectclass = 0x0
errstr = 0x0
ldrc = <optimized out>
rc = 49
ret = 0
failedcount = 1
failedcountstr = "1\000?\001\000\000\000\000\200$\224\001\000\000\000\000?\233?\001\000\000\000\000?Cz\001\000\000\000"
failed_bind = 1
max_fail = 3
utctime = {tm_sec = 0, tm_min = 0, tm_hour = -453022896, tm_mday = 32733, tm_mon = -453022936, tm_year = 32733, tm_wday = 0, tm_yday = 0, tm_isdst = 26485888, tm_gmtoff = 140591433548788, tm_zone = 0x17a4488 ""}
time_now = 1363608767
timestr = "34633-453022935"
failcnt_interval = <optimized out>
lastfail = 0x0
tries = 0
failure = 1
actual_type_name = 0x7fddc8007c20 "krbPwdPolicyReference"
attr_free_flags = 2
values = 0x7fddc8008560
__func__ = "ipalockout_postop"
#3 0x00007fddfe4bd8e1 in plugin_call_func (list=0x17a4b20, operation=operation at entry=501, pb=pb at entry=0x1cad1b0, call_one=call_one at entry=0) at ldap/servers/slapd/plugin.c:1453
n = <optimized out>
func = 0x7fddf4b9c280 <ipalockout_postop>
rc = <optimized out>
return_value = 0
count = 1
#4 0x00007fddfe4bdb07 in plugin_call_list (pb=0x1cad1b0, operation=501, list=<optimized out>) at ldap/servers/slapd/plugin.c:1415
No locals.
#5 plugin_call_plugins (pb=pb at entry=0x1cad1b0, whichfunction=whichfunction at entry=501) at ldap/servers/slapd/plugin.c:398
p = <optimized out>
plugin_list_number = 2
rc = 0
do_op = <optimized out>
#6 0x000000000041172e in do_bind (pb=0x1cad1b0) at ldap/servers/slapd/bind.c:818
ber = <optimized out>
err = <optimized out>
isroot = 0
method = 128
version = 3
auth_response_requested = 0
pw_response_requested = 0
rawdn = 0x7fddc8000d50 "uid=fbar1b,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com"
dn = <optimized out>
saslmech = 0x0
cred = {bv_len = 3, bv_val = 0x7fddc8000ea0 "foo"}
be = 0x191e730
ber_rc = <optimized out>
rc = 2
sdn = 0x7fddc8000da0
referral = 0x0
errorbuf = '\000' <repeats 7080 times>, "?6t??\177\000\000\000\000\000\000\000\000\000\000\033\237?\000\000\000\000 \212???\177\000\000\020\000\000\000\000\000\000\000!\000\000\000\000\000\000\000?>t??\177\000\000\033\000\000\000\000\000\000\000\000\212???\177\000\000|Z?\002\000\000\000\000?6t??\177\000\000\034\071\n??\177\000\000\220u\202\r\000\000\000\000p\212???\177\000\000\020\000\000\000\000\000\000\000!\000\000\000\000\000\000\000?>t??\177\000\000\020\000\000\000\000\000\000\000P\212???\177\000\000?\t6\000\000\000\000\000?<\n??\177\000\000?+\n??\177\000\000\032m@\000\000\000\000\000\t6\000\000\000\000\000\000"...
supported = <optimized out>
pmech = <optimized out>
authtypebuf = '\000' <repeats 255 times>
bind_target_entry = 0x7fddc8001c90
auto_bind = <optimized out>
minssf = <optimized out>
minssf_exclude_rootdse = <optimized out>
#7 0x0000000000417113 in connection_dispatch_operation (pb=<optimized out>, op=0x1cad4b0, conn=0x7fddec156e10) at ldap/servers/slapd/connection.c:568
minssf = 0
minssf_exclude_rootdse = <optimized out>
#8 connection_threadmain () at ldap/servers/slapd/connection.c:2345
is_timedout = 0
curtime = <optimized out>
pb = 0x1cad1b0
interval = 10000
conn = 0x7fddec156e10
op = 0x1cad4b0
tag = 96
need_wakeup = 0
need_conn_release = <optimized out>
thread_turbo_flag = 0
ret = <optimized out>
more_data = 0
replication_connection = <optimized out>
doshutdown = 0
#9 0x00007fddfcabce23 in _pt_root (arg=0x1ca5020) at ../../../mozilla/nsprpub/pr/src/pthreads/ptthread.c:156
thred = 0x1ca5020
detached = 1
#10 0x00007fddfc45fd15 in start_thread (arg=0x7fdde4ff9700) at pthread_create.c:308
__res = <optimized out>
pd = 0x7fdde4ff9700
now = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140591006455552, -7801243002481506053, 1, 140591435722752, 140591006455552, 0, 7784369896572750075, 7784351394420001019}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = 0
pagesize_m1 = <optimized out>
sp = <optimized out>
freesize = <optimized out>
#11 0x00007fddfc19246d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:114
No locals.
More information about the Freeipa-devel
mailing list