[Freeipa-devel] [PATCH] 1092 Fix LDAP lockout plugin
Rob Crittenden
rcritten at redhat.com
Mon Mar 18 15:07:39 UTC 2013
Martin Kosek wrote:
> On 03/15/2013 04:42 PM, Rob Crittenden wrote:
>> Rob Crittenden wrote:
>>> Martin Kosek wrote:
>>>> On 03/11/2013 10:07 PM, Rob Crittenden wrote:
>>>>> Fixed a number of issues applying password policy against LDAP binds.
>>>>> See patch
>>>>> for details.
>>>>>
>>>>> rob
>>>>>
>>>>
>>>> I see some issues with this fix:
>>>>
>>>> 1) Shouldn't group password policy serve only as an override to the main
>>>> policy? I.e. if I have this policy:
>>>>
>>>> # ipa pwpolicy-show test
>>>> Group: test
>>>> Priority: 10
>>>> Max failures: 2
>>>>
>>>> We should still follow settings other than "Max failures" configured in
>>>> global policy, right? At least the Kerberos seem to do it. I think we
>>>> should be consistent in this case. Now, other values just seem to be
>>>> zero.
>>>
>>> There should be only one policy. It isn't supposed to merge policies
>>> together (there is only one krbPwdPolicyReference per principal).
>
> That's a good point.
>
>>>
>>> How is the KDC acting differently?
>
> For example, if you set only maximal number of bad password guesses, it does
> not allow any more (user fbar1 is a member of test group):
>
> # ipa pwpolicy-mod test --maxfail 3
> Group: test
> Priority: 10
> Max failures: 3
>
> # kinit fbar1
> Password for fbar1 at IDM.LAB.BOS.REDHAT.COM:
> kinit: Password incorrect while getting initial credentials
> # kinit fbar1
> Password for fbar1 at IDM.LAB.BOS.REDHAT.COM:
> kinit: Password incorrect while getting initial credentials
> # kinit fbar1
> Password for fbar1 at IDM.LAB.BOS.REDHAT.COM:
> kinit: Password incorrect while getting initial credentials
> # kinit fbar1
> kinit: Clients credentials have been revoked while getting initial credentials
>
> But LDAP binds are still allowed
>
> # ldapsearch -h localhost -D
> uid=fbar1,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com -x -w foo
> -s base -b ""
> ldap_bind: Invalid credentials (49)
>
> I think this is just caused by different processing of
> krbpwdfailurecountinterval in ipa-kdb and in bind preop (when it is not set,
> max auth tries checks are pretty much disabled).
We can't examine things until a successful bind is done. If it is done
and we determine that they should be locked out we refuse to continue.
>
>>>
>>>> I think we will need to fix both the pre-op and the post-op to make this
>>>> working really consistently.
>>>>
>>>> 2) The lockout post-op still counts failed logins even though we are in
>>>> lockout time, is this expected? It is another point if inconsistency
>>>> with Kerberos auth. It leaves user's krbloginfailedcount stay on "Max
>>>> failures".
>>>
>>> Ok.
>>>
>>>>
>>>> 3) Sometimes, I get into a state when I lockout a new user with Kerberos
>>>> and then wait some time until the lockout time passes (no admin unlock),
>>>> I am able to run as many LDAP binds as I want.
>>>
>>> Can you clarify? Successful or unsuccessful binds?
>
> Unsuccessful binds. I will try to reproduce it again when you fix the crash, it
> is hard to investigate it with this crash around.
>
>>>
>>>> This is all I found so far. Honza is also reviewing it, so I will let
>>>> him post hist findings too.
>>>>
>>>> Martin
>>
>> Here is an updated patch to not increment past the max failures on LDAP binds.
>
> The new patch now causes 389-ds to crash with SIGSEGV if I try to bind as a
> user with no group policy assigned (Stacktrace attached).
Stupid mistake on my part.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-1092-3-lockout.patch
Type: text/x-diff
Size: 11226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130318/cef48fad/attachment.bin>
More information about the Freeipa-devel
mailing list