[389-users] Password Failure Lockout doesn't seem to work
Rich Megginson
rmeggins at redhat.com
Mon Nov 25 22:49:32 UTC 2013
On 11/25/2013 03:33 PM, JLPicard wrote:
> Hi, I am testing out 389_ds_base, version =1.2.11.15,REV=2013.01.31
> running on mixed Solaris 10 servers (SPARC and X86) sourced from
> http://www.opencsw.org/packages/CSW389-ds-base
> in multi-master mode with 4 servers that is primarily used for
> authentication and user/group/netgroup management.
>
> Most of the Password policy components seem to work as they should,
> but password failure account lockout doesn't appear to engage after
> X-failed attempts. After creating a new account, testing a successful
> login, after 5+ failed logins with bad passwords, I can still login
> after I would expect to be locked out. I even created a new password
> policy and applied it to this user and it still doesn't lock him out
> after 5+ failed logins with bad passwords.
Can you reproduce the issue with ldapsearch?
ldapsearch ... -D "uid=myuser,...." -w "badpassword" ...
repeat 5 times
>
> The client server I am trying to login to is a Solaris 10 Sparc OS
> that successfully integrates into LDAP for authentication and
> user/group/netgroup management.
>
> Can someone recommend some steps to determine where to start attacking
> this issue? I assume this is an 389DS issue, but I provided a copy of
> our /etc/pam.conf and /etc/nsswitch.conf in case its a client-side
> configuration issues.
>
> I have provided some quick diagnostics of current settings as they are
> shown below in an ldapsearch-cmd in this environment (see below).
> Thanks in advance for any help you may provide.
>
>
>
>
>
>
> #Here is the global password policy:
> >>ldapsearch -x -ZZ -LLL -h ldap-dr01.my-domain.com -D 'cn=directory
> manager' -b 'cn=config' -s base 'objectClass=*' '*' passwordHistory |
> grep password
> passwordInHistory: 6
> passwordUnlock: on
> passwordGraceLimit: 0
> passwordMustChange: off
> passwordWarning: 86400
> passwordLockout: off
> passwordMinLength: 8
> passwordMinDigits: 0
> passwordMinAlphas: 0
> passwordMinUppers: 0
> passwordMinLowers: 0
> passwordMinSpecials: 0
> passwordMin8bit: 0
> passwordMaxRepeats: 0
> passwordMinCategories: 3
> passwordMinTokenLength: 3
> passwordMaxFailure: 3
> passwordHistory: off
> passwordMaxAge: 8640000
> passwordResetFailureCount: 600
> passwordisglobalpolicy: on
> passwordlegacypolicy: on
> passwordtrackupdatetime: off
> passwordChange: on
> passwordExp: off
> passwordLockoutDuration: 3600
> passwordCheckSyntax: off
> passwordMinAge: 0
> passwordStorageScheme: SSHA
>
>
> #Here is my newly created policy
> >>ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b
> "cn=nsPwPolicyContainer,ou=people,dc=my-domain,dc=com"
> "(&(objectClass=ldapsubentry)(objectClass=passwordPolicy)(cn=TestNewPolicy))"
> dn: cn=TestNewPolicy,cn=nsPwPolicyContainer,ou=people,dc=my-domain,dc=com
> cn: TestNewPolicy
> objectClass: top
> objectClass: ldapsubentry
> objectClass: passwordPolicy
> passwordMustChange: on
> passwordChange: on
> passwordMinAge: 0
> passwordKeepHistory: on
> passwordInHistory: 12
> passwordExp: on
> passwordMaxAge: 86400
> passwordWarning: 10000
> passwordGraceLimit: 5
> passwordLockout: on
> passwordMaxFailure: 4
> passwordResetDuration: 600
> passwordLockoutDuration: 3600
> passwordCheckSyntax: on
> passwordMinLength: 6
> passwordMinAlphas: 1
> passwordMinCategories: 1
> passwordMinDigits: 1
> passwordMinLowers: 1
> passwordMinUppers: 1
> passwordMinSpecials: 0
> passwordMin8bit: 0
> passwordMaxRepeats: 0
> passwordMinTokenLength: 3
> passwordStorageScheme: SSHA
>
> #Here is my newly created user with the test policy applied to him
> >>ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b
> "dc=my-domain,dc=com" "cn=test-user-account"
> dn: uid=test-user-account,ou=people,dc=my-domain,dc=com
> description: accountHasItsOwnPwdPolicy
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: account
> objectClass: top
> uid: test-user-account
> cn: test-user-account
> uidNumber: 2853
> gidNumber: 2600
> gecos: User LDAP Test
> homeDirectory: /home/test-user-account
> loginShell: /bin/tcsh
>
> >>ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b
> "dc=my-domain,dc=com" "cn=test-user-account" pwdPolicySubentry
> dn: uid=test-user-account,ou=people,dc=my-domain,dc=com
> pwdPolicySubentry:
> cn=TestNewPolicy,cn=nsPwPolicyContainer,ou=people,dc=my-domain,dc=com
>
> >>ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b
> "dc=my-domain,dc=com" "cn=test-user-account" passwordExpirationtime
> dn: uid=test-user-account,ou=people,dc=my-domain,dc=com
> passwordExpirationtime: 20131126160316Z
>
>
> Here is my Solaris-based PAM file: /etc/pam.conf
> #ident "@(#)pam.conf 1.31 07/12/07 SMI"
> #
> # Copyright 2007 Sun Microsystems, Inc. All rights reserved.
> # Use is subject to license terms.
> #
> # PAM configuration
> #
> # Unless explicitly defined, all services use the modules
> # defined in the "other" section.
> #
> # Modules are defined with relative pathnames, i.e., they are
> # relative to /usr/lib/security/. Absolute path names, as
> # present in this file in previous releases are still acceptable.
> #
> # Authentication management
> #
> # login service (explicit because of pam_dial_auth)
> #
> login auth requisite pam_authtok_get.so.1
> login auth required pam_dhkeys.so.1
> login auth required pam_unix_cred.so.1
> login auth required pam_dial_auth.so.1
> login auth binding pam_unix_auth.so.1 server_policy
> login auth required pam_ldap.so.1
> #
> # rlogin service (explicit because of pam_rhost_auth)
> #
> rlogin auth sufficient pam_rhosts_auth.so.1
> rlogin auth requisite pam_authtok_get.so.1
> rlogin auth required pam_dhkeys.so.1
> rlogin auth required pam_unix_cred.so.1
> rlogin auth binding pam_unix_auth.so.1 server_policy
> rlogin auth required pam_ldap.so.1
> #
> # Kerberized rlogin service
> #
> #
> # rsh service (explicit because of pam_rhost_auth,
> # and pam_unix_auth for meaningful pam_setcred)
> #
> rsh auth sufficient pam_rhosts_auth.so.1
> rsh auth required pam_unix_cred.so.1
> rsh auth binding pam_unix_auth.so.1 server_policy
> rsh auth required pam_ldap.so.1
> #
> # Kerberized rsh service
> #
> #
> # Kerberized telnet service
> #
> #
> # PPP service (explicit because of pam_dial_auth)
> #
> ppp auth requisite pam_authtok_get.so.1
> ppp auth required pam_dhkeys.so.1
> ppp auth required pam_dial_auth.so.1
> ppp auth binding pam_unix_auth.so.1 server_policy
> ppp auth required pam_ldap.so.1
> #
> # Default definitions for Authentication management
> # Used when service name is not explicitly mentioned for authentication
> #
> #
> other auth requisite pam_authtok_get.so.1
> other auth required pam_dhkeys.so.1
> other auth required pam_unix_cred.so.1
> other auth binding pam_unix_auth.so.1 server_policy
> other auth required pam_ldap.so.1
> #
> # passwd command (explicit because of a different authentication module)
> #
> passwd auth binding pam_passwd_auth.so.1 server_policy
> passwd auth required pam_ldap.so.1
> #
> # cron service (explicit because of non-usage of pam_roles.so.1)
> #
> cron account required pam_unix_account.so.1
> #
> # Default definition for Account management
> # Used when service name is not explicitly mentioned for account
> management
> #
> other account requisite pam_roles.so.1
> other account binding pam_unix_account.so.1 server_policy
> other account required pam_list.so.1 allow=/etc/user.allow
> other account required pam_ldap.so.1
> #
> # Default definition for Session management
> # Used when service name is not explicitly mentioned for session
> management
> #
> other session required pam_unix_session.so.1
> #
> # Default definition for Password management
> # Used when service name is not explicitly mentioned for password
> management
> #
> other password required pam_dhkeys.so.1
> other password requisite pam_authtok_get.so.1
> other password requisite pam_authtok_check.so.1
> other password required pam_authtok_store.so.1 server_policy
> #
> # Support for Kerberos V5 authentication and example configurations can
> # be found in the pam_krb5(5) man page under the "EXAMPLES" section.
> #
> ppp auth required pam_unix_cred.so.1
> ppp auth required pam_unix_auth.so.1
> krlogin auth required pam_unix_cred.so.1
> krlogin auth required pam_krb5.so.1
> krsh auth required pam_unix_cred.so.1
> krsh auth required pam_krb5.so.1
> ktelnet auth required pam_unix_cred.so.1
> ktelnet auth required pam_krb5.so.1
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Here is my Solaris-based NSSWITCH file: /etc/nsswitch.conf
> #
> # Copyright 2006 Sun Microsystems, Inc. All rights reserved.
> # Use is subject to license terms.
> #
> # ident "@(#)nsswitch.ldap 1.10 06/05/03 SMI"
>
> #
> # /etc/nsswitch.ldap:
> #
> # An example file that could be copied over to /etc/nsswitch.conf; it
> # uses LDAP in conjunction with files.
> #
> # "hosts:" and "services:" in this file are used only if the
> # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
>
> # LDAP service requires that svc:/network/ldap/client:default be enabled
> # and online.
>
> # the following two lines obviate the "+" entry in /etc/passwd and
> /etc/group.
> passwd: files ldap
> group: files ldap
>
> # consult /etc "files" only if ldap is down.
> hosts: files dns
>
> # Note that IPv4 addresses are searched for in all of the ipnodes
> databases
> # before searching the hosts databases.
> ipnodes: files dns
>
> networks: files
> protocols: files
> rpc: files
> ethers: files
> netmasks: files
> bootparams: files
> publickey: files
>
> netgroup: ldap
>
> automount: files ldap
> aliases: files ldap
>
> # for efficient getservbyname() avoid ldap
> services: files ldap
>
> printers: user files ldap
>
> auth_attr: files ldap
> prof_attr: files ldap
>
> project: files ldap
>
> tnrhtp: files ldap
> tnrhdb: files ldap
>
> owner at lists.fedoraproject.org.
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20131125/dbe05c64/attachment.html>
More information about the 389-users
mailing list