[389-users] Password Failure Lockout doesn't seem to work

JLPicard jlpicard15 at hotmail.com
Wed Dec 11 18:35:51 UTC 2013 

Yes,

It shows up in the "dse.ldif" file:
          root at my-ldapHost01% grep nsslapd-pwpolicy-local dse.ldif
          nsslapd-pwpolicy-local: on

It also shows up on ldapsearch:

root at my-ldapHost01% ldapsearch -x -ZZ -LLL -W -h 
"my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D 'cn=directory 
manager' -b 'cn=config' -s base 'objectClass=*' 'nsslapd-pwpolicy-local'
Enter LDAP Password:
dn: cn=config
nsslapd-pwpolicy-local: on


On 11/26/2013 9:00 AM, Ludwig Krispenz wrote:
> Hi,
>
> did you set:
> nsslapd-pwpolicy-local: on
>
> in cn=config ?
>
> Ludwig
>
> On 11/26/2013 02:13 PM, JLPicard wrote:
>> Yes, I can, after 8 consecutive failed authentications, the account 
>> can still successfully query the DS with the correct password.
>>
>> % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b 
>> "dc=my-domain,dc=com" -D 
>> "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword 
>> "cn=test-user-account"
>> ldap_bind: Invalid credentials (49)
>> % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b 
>> "dc=my-domain,dc=com" -D 
>> "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword 
>> "cn=test-user-account"
>> ldap_bind: Invalid credentials (49)
>> % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b 
>> "dc=my-domain,dc=com" -D 
>> "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword 
>> "cn=test-user-account"
>> ldap_bind: Invalid credentials (49)
>> % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b 
>> "dc=my-domain,dc=com" -D 
>> "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword 
>> "cn=test-user-account"
>> ldap_bind: Invalid credentials (49)
>> % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b 
>> "dc=my-domain,dc=com" -D 
>> "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword 
>> "cn=test-user-account"
>> ldap_bind: Invalid credentials (49)
>> % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b 
>> "dc=my-domain,dc=com" -D 
>> "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword 
>> "cn=test-user-account"
>> ldap_bind: Invalid credentials (49)
>> % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b 
>> "dc=my-domain,dc=com" -D 
>> "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword 
>> "cn=test-user-account"
>> ldap_bind: Invalid credentials (49)
>> % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b 
>> "dc=my-domain,dc=com" -D 
>> "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword 
>> "cn=test-user-account"
>> ldap_bind: Invalid credentials (49)
>> % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b 
>> "dc=my-domain,dc=com" -D 
>> "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w goodPwrd 
>> "cn=test-user-account"
>> dn: uid=test-user-account,ou=people,dc=my-domain,dc=com
>> description: accountHasItsOwnPwdPolicy
>> objectClass: posixAccount
>> objectClass: shadowAccount
>> objectClass: account
>> objectClass: top
>> uid: test-user-account
>> cn: test-user-account
>> uidNumber: 2853
>> gidNumber: 2600
>> gecos: LDAP Test
>> homeDirectory: /home/test-user-account
>> loginShell: /bin/tcsh
>>
>>
>> On 11/25/2013 5:49 PM, 389-users-request at lists.fedoraproject.org wrote:
>>> From: Rich Megginson <rmeggins at redhat.com> To: "General discussion 
>>> list for the 389 Directory server project." 
>>> <389-users at lists.fedoraproject.org> Cc: JLPicard 
>>> <jlpicard15 at hotmail.com> Subject: Re: [389-users] Password Failure 
>>> Lockout doesn't seem to work Message-ID: 
>>> <5293D3FC.2090907 at redhat.com> Content-Type: text/plain; 
>>> charset="utf-8"; Format="flowed" On 11/25/2013 03:33 PM, JLPicard 
>>> wrote:
>>>> >Hi, I am testing out 389_ds_base, version =1.2.11.15,REV=2013.01.31
>>>> >running on mixed Solaris 10 servers (SPARC and X86) sourced from
>>>> >http://www.opencsw.org/packages/CSW389-ds-base
>>>> >in multi-master mode with 4 servers that is primarily used for
>>>> >authentication and user/group/netgroup management.
>>>> >
>>>> >Most of the Password policy components seem to work as they should,
>>>> >but password failure account lockout doesn't appear to engage after
>>>> >X-failed attempts.  After creating a new account, testing a 
>>>> successful
>>>> >login, after 5+ failed logins with bad passwords, I can still login
>>>> >after I would expect to be locked out.  I even created a new password
>>>> >policy and applied it to this user and it still doesn't lock him out
>>>> >after 5+ failed logins with bad passwords.
>>> Can you reproduce the issue with ldapsearch?
>>>
>>> ldapsearch ... -D "uid=myuser,...." -w "badpassword" ...
>>> repeat 5 times
>>>
>>>
>>
>> -- 
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> -- 
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

More information about the 389-users mailing list