[389-users] Password Failure Lockout doesn't seem to work
JLPicard
jlpicard15 at hotmail.com
Tue Nov 26 13:13:18 UTC 2013
Yes, I can, after 8 consecutive failed authentications, the account can
still successfully query the DS with the correct password.
% ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b
"dc=my-domain,dc=com" -D
"uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword
"cn=test-user-account"
ldap_bind: Invalid credentials (49)
% ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b
"dc=my-domain,dc=com" -D
"uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword
"cn=test-user-account"
ldap_bind: Invalid credentials (49)
% ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b
"dc=my-domain,dc=com" -D
"uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword
"cn=test-user-account"
ldap_bind: Invalid credentials (49)
% ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b
"dc=my-domain,dc=com" -D
"uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword
"cn=test-user-account"
ldap_bind: Invalid credentials (49)
% ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b
"dc=my-domain,dc=com" -D
"uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword
"cn=test-user-account"
ldap_bind: Invalid credentials (49)
% ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b
"dc=my-domain,dc=com" -D
"uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword
"cn=test-user-account"
ldap_bind: Invalid credentials (49)
% ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b
"dc=my-domain,dc=com" -D
"uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword
"cn=test-user-account"
ldap_bind: Invalid credentials (49)
% ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b
"dc=my-domain,dc=com" -D
"uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword
"cn=test-user-account"
ldap_bind: Invalid credentials (49)
% ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b
"dc=my-domain,dc=com" -D
"uid=test-user-account,ou=people,dc=my-domain,dc=com" -w goodPwrd
"cn=test-user-account"
dn: uid=test-user-account,ou=people,dc=my-domain,dc=com
description: accountHasItsOwnPwdPolicy
objectClass: posixAccount
objectClass: shadowAccount
objectClass: account
objectClass: top
uid: test-user-account
cn: test-user-account
uidNumber: 2853
gidNumber: 2600
gecos: LDAP Test
homeDirectory: /home/test-user-account
loginShell: /bin/tcsh
On 11/25/2013 5:49 PM, 389-users-request at lists.fedoraproject.org wrote:
> From: Rich Megginson <rmeggins at redhat.com> To: "General discussion
> list for the 389 Directory server project."
> <389-users at lists.fedoraproject.org> Cc: JLPicard
> <jlpicard15 at hotmail.com> Subject: Re: [389-users] Password Failure
> Lockout doesn't seem to work Message-ID: <5293D3FC.2090907 at redhat.com>
> Content-Type: text/plain; charset="utf-8"; Format="flowed" On
> 11/25/2013 03:33 PM, JLPicard wrote:
>> >Hi, I am testing out 389_ds_base, version =1.2.11.15,REV=2013.01.31
>> >running on mixed Solaris 10 servers (SPARC and X86) sourced from
>> >http://www.opencsw.org/packages/CSW389-ds-base
>> >in multi-master mode with 4 servers that is primarily used for
>> >authentication and user/group/netgroup management.
>> >
>> >Most of the Password policy components seem to work as they should,
>> >but password failure account lockout doesn't appear to engage after
>> >X-failed attempts. After creating a new account, testing a successful
>> >login, after 5+ failed logins with bad passwords, I can still login
>> >after I would expect to be locked out. I even created a new password
>> >policy and applied it to this user and it still doesn't lock him out
>> >after 5+ failed logins with bad passwords.
> Can you reproduce the issue with ldapsearch?
>
> ldapsearch ... -D "uid=myuser,...." -w "badpassword" ...
> repeat 5 times
>
>
More information about the 389-users
mailing list