[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#5040) modifyTimestamp being updated on login (bind) failure

To: openldap-its@OpenLDAP.org
Subject: (ITS#5040) modifyTimestamp being updated on login (bind) failure
From: dan.cushing@netideasinc.com
Date: Thu, 5 Jul 2007 14:52:49 GMT

Full_Name: Dan Cushing
Version: 2.3.36
OS: Solaris 9
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (71.76.187.82)


When running OpenLDAP with the ppolicy overlay, the modifyTimestamp for a user
entry is updated if the user attempts to login (bind) with an incorrect
password.  This is happening because the password lockout feature is enabled and
the operational attribute 'pwdFailureTime' is being updated.  It seems like this
results in a misleading modifyTimestamp.  Is it intended that the
modifyTimestamp attribute be updated when operational attributes are updated?

To reproduce the issue, compile with the ppolicy overlay and enable password
lockout.  Below I've included the entries for a minimal policy.ldif file that I
tested with.  Then perform the following actions.

1) As the directory administrator execute the following search: ldapsearch -x -D
"cn=Manager,o=testorg.com" -w password -b o=testorg.com uid=testuser
pwdFailureTime modifyTimestamp.  This will return something like
"modifyTimestamp: 20070705142825Z"

2) As testuser execute the following search: ldapsearch -x -D
"uid=testuser,o=testorg.com" -w correctPassword -b o=testorg.com uid=testuser
modifyTimestamp.  This will also return something like "modifyTimestamp:
20070705142825Z"

3) As testuser execute the following search (note the INCORRECT password):
ldapsearch -x -D "uid=testuser,o=testorg.com" -w WRONGPassword -b o=testorg.com
uid=testuser modifyTimestamp.  This will also return something like "ldap_bind:
Invalid credentials (49)"

4) As the directory administrator execute the following search: ldapsearch -x -D
"cn=Manager,o=testorg.com" -w password -b o=testorg.com uid=testuser
pwdFailureTime modifyTimestamp.  This will return something like
"pwdFailureTime: 20070705144735Z
modifyTimestamp: 20070705144735Z".  Note that the 'pwdFailureTime attribute has
been created and the 'modifyTimestamp' attribute has been updated to the time
that the bind attempt failed.

Contents of my Standard policy file are ...

dn: cn=Standard, ou=Policies, o=testorg.com
pwdLockout: TRUE
pwdMaxFailure: 3
objectClass: top
objectClass: device
objectClass: pwdPolicy
pwdFailureCountInterval: 120
pwdLockoutDuration: 3600
cn: Standard
pwdAttribute: userPassword

Prev by Date: Re: (ITS#5035) Warning patrol
Next by Date: (ITS#5041) ldapwhoami takes unused "user" arg
Index(es):
- Chronological
- Thread