[389-users] Password Failure Lockout doesn't seem to work
JLPicard
jlpicard15 at hotmail.com
Thu Dec 19 17:32:33 UTC 2013
These issues are happening on a Solaris Sparc server, most of our
infrastructure is Solaris Sparc, with some Solaris X86 servers.
The Solaris equivalent of NSCD called
"svc:/system/name-service-cache:default" is running.
I am not familiar with authconfig, I can look for the Solaris equivalent
to confirm, but I do know that the name-service-cache does cache some
account information, but regularly refreshes it. I can also confirm the
accounts having the issue are not local accounts.
On 12/11/2013 1:41 PM, Justin Edmands wrote:
> just to think outside of what you have already mentioned:
>
> client nscd service running?
>
> User authconfig to show if you have caching and local authorization
> settings:
> authconfig-tui
>
> change things on a test client and then tail the
> /var/log/slapd/<servername>/access (and other) logs while grepping for
> the user:
>
> tail -f /var/log/slapd/dirsrv1.blah.blah/access | grep bobby
>
> or even
>
> tail -f /var/log/slapd/dirsrv1.blah.blah/* | grep bobby
>
>
>
> On Wed, Dec 11, 2013 at 1:35 PM, JLPicard <jlpicard15 at hotmail.com
> <mailto:jlpicard15 at hotmail.com>> wrote:
>
> Yes,
>
> It shows up in the "dse.ldif" file:
> root at my-ldapHost01% grep nsslapd-pwpolicy-local dse.ldif
> nsslapd-pwpolicy-local: on
>
> It also shows up on ldapsearch:
>
> root at my-ldapHost01% ldapsearch -x -ZZ -LLL -W -h
> "my-ldapHost01.my-domain.com <http://my-ldapHost01.my-domain.com>"
> -b "dc=my-domain,dc=com" -D 'cn=directory manager' -b 'cn=config'
> -s base 'objectClass=*' 'nsslapd-pwpolicy-local'
> Enter LDAP Password:
> dn: cn=config
> nsslapd-pwpolicy-local: on
>
>
>
> On 11/26/2013 9:00 AM, Ludwig Krispenz wrote:
>
> Hi,
>
> did you set:
> nsslapd-pwpolicy-local: on
>
> in cn=config ?
>
> Ludwig
>
> On 11/26/2013 02:13 PM, JLPicard wrote:
>
> Yes, I can, after 8 consecutive failed authentications,
> the account can still successfully query the DS with the
> correct password.
>
> % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com
> <http://my-ldapHost01.my-domain.com>" -b
> "dc=my-domain,dc=com" -D
> "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w
> badPword "cn=test-user-account"
> ldap_bind: Invalid credentials (49)
> % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com
> <http://my-ldapHost01.my-domain.com>" -b
> "dc=my-domain,dc=com" -D
> "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w
> badPword "cn=test-user-account"
> ldap_bind: Invalid credentials (49)
> % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com
> <http://my-ldapHost01.my-domain.com>" -b
> "dc=my-domain,dc=com" -D
> "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w
> badPword "cn=test-user-account"
> ldap_bind: Invalid credentials (49)
> % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com
> <http://my-ldapHost01.my-domain.com>" -b
> "dc=my-domain,dc=com" -D
> "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w
> badPword "cn=test-user-account"
> ldap_bind: Invalid credentials (49)
> % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com
> <http://my-ldapHost01.my-domain.com>" -b
> "dc=my-domain,dc=com" -D
> "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w
> badPword "cn=test-user-account"
> ldap_bind: Invalid credentials (49)
> % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com
> <http://my-ldapHost01.my-domain.com>" -b
> "dc=my-domain,dc=com" -D
> "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w
> badPword "cn=test-user-account"
> ldap_bind: Invalid credentials (49)
> % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com
> <http://my-ldapHost01.my-domain.com>" -b
> "dc=my-domain,dc=com" -D
> "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w
> badPword "cn=test-user-account"
> ldap_bind: Invalid credentials (49)
> % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com
> <http://my-ldapHost01.my-domain.com>" -b
> "dc=my-domain,dc=com" -D
> "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w
> badPword "cn=test-user-account"
> ldap_bind: Invalid credentials (49)
> % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com
> <http://my-ldapHost01.my-domain.com>" -b
> "dc=my-domain,dc=com" -D
> "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w
> goodPwrd "cn=test-user-account"
> dn: uid=test-user-account,ou=people,dc=my-domain,dc=com
> description: accountHasItsOwnPwdPolicy
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: account
> objectClass: top
> uid: test-user-account
> cn: test-user-account
> uidNumber: 2853
> gidNumber: 2600
> gecos: LDAP Test
> homeDirectory: /home/test-user-account
> loginShell: /bin/tcsh
>
>
> On 11/25/2013 5:49 PM,
> 389-users-request at lists.fedoraproject.org
> <mailto:389-users-request at lists.fedoraproject.org> wrote:
>
> From: Rich Megginson <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> To: "General discussion
> list for the 389 Directory server project."
> <389-users at lists.fedoraproject.org
> <mailto:389-users at lists.fedoraproject.org>> Cc:
> JLPicard <jlpicard15 at hotmail.com
> <mailto:jlpicard15 at hotmail.com>> Subject: Re:
> [389-users] Password Failure Lockout doesn't seem to
> work Message-ID: <5293D3FC.2090907 at redhat.com
> <mailto:5293D3FC.2090907 at redhat.com>> Content-Type:
> text/plain; charset="utf-8"; Format="flowed" On
> 11/25/2013 03:33 PM, JLPicard wrote:
>
> >Hi, I am testing out 389_ds_base, version
> =1.2.11.15,REV=2013.01.31
> >running on mixed Solaris 10 servers (SPARC and
> X86) sourced from
> >http://www.opencsw.org/packages/CSW389-ds-base
> >in multi-master mode with 4 servers that is
> primarily used for
> >authentication and user/group/netgroup management.
> >
> >Most of the Password policy components seem to
> work as they should,
> >but password failure account lockout doesn't
> appear to engage after
> >X-failed attempts. After creating a new account,
> testing a successful
> >login, after 5+ failed logins with bad passwords,
> I can still login
> >after I would expect to be locked out. I even
> created a new password
> >policy and applied it to this user and it still
> doesn't lock him out
> >after 5+ failed logins with bad passwords.
>
> Can you reproduce the issue with ldapsearch?
>
> ldapsearch ... -D "uid=myuser,...." -w "badpassword" ...
> repeat 5 times
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> <mailto:389-users at lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> <mailto:389-users at lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> <mailto:389-users at lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20131219/9596df63/attachment.html>
More information about the 389-users
mailing list