<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 11/25/2013 03:33 PM, JLPicard wrote:<br>
</div>
<blockquote cite="mid:BLU0-SMTP442FCF95EA8BBA2F03FB2FFC0ED0@phx.gbl"
type="cite">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<style id="owaParaStyle">P {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
</style>Hi, I am testing out 389_ds_base, version
=1.2.11.15,REV=2013.01.31 running on mixed Solaris 10 servers
(SPARC and X86) sourced from <br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://www.opencsw.org/packages/CSW389-ds-base">http://www.opencsw.org/packages/CSW389-ds-base</a>
<br>
in multi-master mode with 4 servers that is primarily used for
authentication and user/group/netgroup management. <br>
<br>
Most of the Password policy components seem to work as they
should, but password failure account lockout doesn't appear to
engage after X-failed attempts. After creating a new account,
testing a successful login, after 5+ failed logins with bad
passwords, I can still login after I would expect to be locked
out. I even created a new password policy and applied it to this
user and it still doesn't lock him out after 5+ failed logins with
bad passwords. <br>
</blockquote>
<br>
Can you reproduce the issue with ldapsearch?<br>
<br>
ldapsearch ... -D "uid=myuser,...." -w "badpassword" ...<br>
repeat 5 times<br>
<br>
<br>
<blockquote cite="mid:BLU0-SMTP442FCF95EA8BBA2F03FB2FFC0ED0@phx.gbl"
type="cite"> <br>
The client server I am trying to login to is a Solaris 10 Sparc OS
that successfully integrates into LDAP for authentication and
user/group/netgroup management. <br>
<br>
Can someone recommend some steps to determine where to start
attacking this issue? I assume this is an 389DS issue, but I
provided a copy of our /etc/pam.conf and /etc/nsswitch.conf in
case its a client-side configuration issues.<br>
<br>
I have provided some quick diagnostics of current settings as they
are shown below in an ldapsearch-cmd in this environment (see
below). Thanks in advance for any help you may provide. <br>
<br>
<br>
<br>
<br>
<br>
<br>
#Here is the global password policy:<br>
>>ldapsearch -x -ZZ -LLL -h ldap-dr01.my-domain.com -D
'cn=directory manager' -b 'cn=config' -s base 'objectClass=*' '*'
passwordHistory | grep password<br>
passwordInHistory: 6<br>
passwordUnlock: on<br>
passwordGraceLimit: 0<br>
passwordMustChange: off<br>
passwordWarning: 86400<br>
passwordLockout: off<br>
passwordMinLength: 8<br>
passwordMinDigits: 0<br>
passwordMinAlphas: 0<br>
passwordMinUppers: 0<br>
passwordMinLowers: 0<br>
passwordMinSpecials: 0<br>
passwordMin8bit: 0<br>
passwordMaxRepeats: 0<br>
passwordMinCategories: 3<br>
passwordMinTokenLength: 3<br>
passwordMaxFailure: 3<br>
passwordHistory: off<br>
passwordMaxAge: 8640000<br>
passwordResetFailureCount: 600<br>
passwordisglobalpolicy: on<br>
passwordlegacypolicy: on<br>
passwordtrackupdatetime: off<br>
passwordChange: on<br>
passwordExp: off<br>
passwordLockoutDuration: 3600<br>
passwordCheckSyntax: off<br>
passwordMinAge: 0<br>
passwordStorageScheme: SSHA<br>
<br>
<br>
#Here is my newly created policy<br>
>>ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b
"cn=nsPwPolicyContainer,ou=people,dc=my-domain,dc=com"
"(&(objectClass=ldapsubentry)(objectClass=passwordPolicy)(cn=TestNewPolicy))"<br>
dn:
cn=TestNewPolicy,cn=nsPwPolicyContainer,ou=people,dc=my-domain,dc=com<br>
cn: TestNewPolicy<br>
objectClass: top<br>
objectClass: ldapsubentry<br>
objectClass: passwordPolicy<br>
passwordMustChange: on<br>
passwordChange: on<br>
passwordMinAge: 0<br>
passwordKeepHistory: on<br>
passwordInHistory: 12<br>
passwordExp: on<br>
passwordMaxAge: 86400<br>
passwordWarning: 10000<br>
passwordGraceLimit: 5<br>
passwordLockout: on<br>
passwordMaxFailure: 4<br>
passwordResetDuration: 600<br>
passwordLockoutDuration: 3600<br>
passwordCheckSyntax: on<br>
passwordMinLength: 6<br>
passwordMinAlphas: 1<br>
passwordMinCategories: 1<br>
passwordMinDigits: 1<br>
passwordMinLowers: 1<br>
passwordMinUppers: 1<br>
passwordMinSpecials: 0<br>
passwordMin8bit: 0<br>
passwordMaxRepeats: 0<br>
passwordMinTokenLength: 3<br>
passwordStorageScheme: SSHA<br>
<br>
#Here is my newly created user with the test policy applied to him<br>
>>ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b
"dc=my-domain,dc=com" "cn=test-user-account"<br>
dn: uid=test-user-account,ou=people,dc=my-domain,dc=com<br>
description: accountHasItsOwnPwdPolicy<br>
objectClass: posixAccount<br>
objectClass: shadowAccount<br>
objectClass: account<br>
objectClass: top<br>
uid: test-user-account<br>
cn: test-user-account<br>
uidNumber: 2853<br>
gidNumber: 2600<br>
gecos: User LDAP Test<br>
homeDirectory: /home/test-user-account<br>
loginShell: /bin/tcsh<br>
<br>
>>ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b
"dc=my-domain,dc=com" "cn=test-user-account" pwdPolicySubentry<br>
dn: uid=test-user-account,ou=people,dc=my-domain,dc=com<br>
pwdPolicySubentry:
cn=TestNewPolicy,cn=nsPwPolicyContainer,ou=people,dc=my-domain,dc=com<br>
<br>
>>ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b
"dc=my-domain,dc=com" "cn=test-user-account"
passwordExpirationtime<br>
dn: uid=test-user-account,ou=people,dc=my-domain,dc=com<br>
passwordExpirationtime: 20131126160316Z<br>
<br>
<br>
Here is my Solaris-based PAM file: /etc/pam.conf <br>
#ident "@(#)pam.conf 1.31 07/12/07 SMI"<br>
#<br>
# Copyright 2007 Sun Microsystems, Inc. All rights reserved.<br>
# Use is subject to license terms.<br>
#<br>
# PAM configuration<br>
#<br>
# Unless explicitly defined, all services use the modules<br>
# defined in the "other" section.<br>
#<br>
# Modules are defined with relative pathnames, i.e., they are<br>
# relative to /usr/lib/security/. Absolute path names, as<br>
# present in this file in previous releases are still acceptable.<br>
#<br>
# Authentication management<br>
#<br>
# login service (explicit because of pam_dial_auth)<br>
#<br>
login auth requisite pam_authtok_get.so.1<br>
login auth required pam_dhkeys.so.1<br>
login auth required pam_unix_cred.so.1<br>
login auth required pam_dial_auth.so.1<br>
login auth binding pam_unix_auth.so.1 server_policy<br>
login auth required pam_ldap.so.1<br>
#<br>
# rlogin service (explicit because of pam_rhost_auth)<br>
#<br>
rlogin auth sufficient pam_rhosts_auth.so.1<br>
rlogin auth requisite pam_authtok_get.so.1<br>
rlogin auth required pam_dhkeys.so.1<br>
rlogin auth required pam_unix_cred.so.1<br>
rlogin auth binding pam_unix_auth.so.1 server_policy<br>
rlogin auth required pam_ldap.so.1<br>
#<br>
# Kerberized rlogin service<br>
#<br>
#<br>
# rsh service (explicit because of pam_rhost_auth,<br>
# and pam_unix_auth for meaningful pam_setcred)<br>
#<br>
rsh auth sufficient pam_rhosts_auth.so.1<br>
rsh auth required pam_unix_cred.so.1<br>
rsh auth binding pam_unix_auth.so.1 server_policy<br>
rsh auth required pam_ldap.so.1<br>
#<br>
# Kerberized rsh service<br>
#<br>
#<br>
# Kerberized telnet service<br>
#<br>
#<br>
# PPP service (explicit because of pam_dial_auth)<br>
#<br>
ppp auth requisite pam_authtok_get.so.1<br>
ppp auth required pam_dhkeys.so.1<br>
ppp auth required pam_dial_auth.so.1<br>
ppp auth binding pam_unix_auth.so.1 server_policy<br>
ppp auth required pam_ldap.so.1<br>
#<br>
# Default definitions for Authentication management<br>
# Used when service name is not explicitly mentioned for
authentication<br>
#<br>
#<br>
other auth requisite pam_authtok_get.so.1<br>
other auth required pam_dhkeys.so.1<br>
other auth required pam_unix_cred.so.1<br>
other auth binding pam_unix_auth.so.1 server_policy<br>
other auth required pam_ldap.so.1<br>
#<br>
# passwd command (explicit because of a different authentication
module)<br>
#<br>
passwd auth binding pam_passwd_auth.so.1 server_policy<br>
passwd auth required pam_ldap.so.1<br>
#<br>
# cron service (explicit because of non-usage of pam_roles.so.1)<br>
#<br>
cron account required pam_unix_account.so.1<br>
#<br>
# Default definition for Account management<br>
# Used when service name is not explicitly mentioned for account
management<br>
#<br>
other account requisite pam_roles.so.1<br>
other account binding pam_unix_account.so.1 server_policy<br>
other account required pam_list.so.1 allow=/etc/user.allow<br>
other account required pam_ldap.so.1<br>
#<br>
# Default definition for Session management<br>
# Used when service name is not explicitly mentioned for session
management<br>
#<br>
other session required pam_unix_session.so.1<br>
#<br>
# Default definition for Password management<br>
# Used when service name is not explicitly mentioned for password
management<br>
#<br>
other password required pam_dhkeys.so.1<br>
other password requisite pam_authtok_get.so.1<br>
other password requisite pam_authtok_check.so.1<br>
other password required pam_authtok_store.so.1
server_policy<br>
#<br>
# Support for Kerberos V5 authentication and example
configurations can<br>
# be found in the pam_krb5(5) man page under the "EXAMPLES"
section.<br>
#<br>
ppp auth required pam_unix_cred.so.1 <br>
ppp auth required pam_unix_auth.so.1 <br>
krlogin auth required pam_unix_cred.so.1<br>
krlogin auth required pam_krb5.so.1<br>
krsh auth required pam_unix_cred.so.1<br>
krsh auth required pam_krb5.so.1<br>
ktelnet auth required pam_unix_cred.so.1<br>
ktelnet auth required pam_krb5.so.1<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
Here is my Solaris-based NSSWITCH file: /etc/nsswitch.conf <br>
#<br>
# Copyright 2006 Sun Microsystems, Inc. All rights reserved.<br>
# Use is subject to license terms.<br>
#<br>
# ident "@(#)nsswitch.ldap 1.10 06/05/03 SMI"<br>
<br>
#<br>
# /etc/nsswitch.ldap:<br>
#<br>
# An example file that could be copied over to /etc/nsswitch.conf;
it<br>
# uses LDAP in conjunction with files.<br>
#<br>
# "hosts:" and "services:" in this file are used only if the<br>
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet"
transports.<br>
<br>
# LDAP service requires that svc:/network/ldap/client:default be
enabled<br>
# and online.<br>
<br>
# the following two lines obviate the "+" entry in /etc/passwd and
/etc/group.<br>
passwd: files ldap<br>
group: files ldap<br>
<br>
# consult /etc "files" only if ldap is down.<br>
hosts: files dns<br>
<br>
# Note that IPv4 addresses are searched for in all of the ipnodes
databases<br>
# before searching the hosts databases.<br>
ipnodes: files dns<br>
<br>
networks: files<br>
protocols: files<br>
rpc: files<br>
ethers: files<br>
netmasks: files<br>
bootparams: files<br>
publickey: files<br>
<br>
netgroup: ldap<br>
<br>
automount: files ldap<br>
aliases: files ldap<br>
<br>
# for efficient getservbyname() avoid ldap<br>
services: files ldap<br>
<br>
printers: user files ldap<br>
<br>
auth_attr: files ldap<br>
prof_attr: files ldap<br>
<br>
project: files ldap<br>
<br>
tnrhtp: files ldap<br>
tnrhdb: files ldap<br>
<br>
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:owner@lists.fedoraproject.org">owner@lists.fedoraproject.org</a>.<br>
<style id="owaTempEditStyle">BODY {
SCROLLBAR-ARROW-COLOR: #d6d6d6; SCROLLBAR-DARKSHADOW-COLOR: #ffffff; SCROLLBAR-BASE-COLOR: #adadad; SCROLLBAR-HIGHLIGHT-COLOR: #adadad; SCROLLBAR-TRACK-COLOR: #ffffff
}
SPAN#misspelled {
PADDING-BOTTOM: 1px; BACKGROUND: url(14.3.123.3/themes/base/../resources/squiggly.gif) repeat-x 50% bottom
}
</style> <br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">--
389 users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>
</blockquote>
<br>
</body>
</html>