[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6411) Possible bug in Overlay pPolicy

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6411) Possible bug in Overlay pPolicy
From: hyc@symas.com
Date: Thu, 3 Dec 2009 00:57:15 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

jarbas.junior@gmail.com wrote:
> Full_Name: Jarbas Peixoto Junior
> Version: 2.4.11 / 2.4.17 / 2.4.20
> OS: Gnu/Linux Debian
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (200.152.34.143)
>
>
> Possible bug in Overlay pPolicy
>
> I have OpenLDAP installed via the Debian Lenny package functioning normally.
>
> Aiming to test the version of Debian Squeeze in the test machine installed
> package slapd (2.4.17-2.1) with the same set of Debian Lenny (2.4.11).
>
> However, when testing the overlay pPolicy noticed that a wrong password
> authentication, runs all objects in the ldap database, causing a "delay" that
> does not exist in version Lenny.
>
> Below is some information that may be useful in detecting the problem:
>
> File: slapd.conf
> ====================
> moduleload      ppolicy
> overlay ppolicy
> ppolicy_default	"cn=default,ou=LdapPassword,ou=Politicas,ou=Builtin,dc=previdencia,dc=gov,dc=br"
> ppolicy_use_lockout
> ====================
>
> ldapsearch -LLL -x -H ldap://squeeze -b
> ou=LdapPassword,ou=Politicas,ou=Builtin,dc=previdencia,dc=gov,dc=br
> '(cn=default)'
> dn: cn=default,ou=LdapPassword,ou=Politicas,ou=Builtin,dc=previdencia,dc=gov,d
>   c=br
> objectClass: top
> objectClass: device
> objectClass: pwdPolicy
> pwdAttribute: userPassword
> description:: UG9sw610aWNhIGRlIFNlbmhhIERlZmF1bHQgcGFyYSB0b2RvcyB1c3XDoXJpb3M=
> pwdAllowUserChange: TRUE
> pwdFailureCountInterval: 3600
> pwdGraceAuthNLimit: 5
> pwdInHistory: 0
> pwdLockoutDuration: 60
> pwdMaxAge: 7776000
> pwdMinAge: 0
> pwdMinLength: 6
> pwdSafeModify: FALSE
> pwdCheckQuality: 1
> pwdExpireWarning: 600
> cn: default
> pwdMustChange: FALSE
> pwdMaxFailure: 10
> pwdLockout: FALSE
>
> date ; ldapsearch -LLL -x -H ldap://squeeze -b
> ou=usuarios,dc=previdencia,dc=gov,dc=br -D
> uid=jarbas.peixoto,ou=pessoas,ou=usuarios,dc=previdencia,dc=gov,dc=br -w
> wrong-password '(uid=jarbas.peixoto)' cn mail pwdFailureTime
> pwdAccountLockedTime modifyTimeStamp ; date
> Qua Dez  2 16:14:56 AMST 2009
> ldap_bind: Invalid credentials (49)
> Qua Dez  2 16:15:36 AMST 2009
>
> grep 'access_allowed: search access to' /var/log/debug | wc -l
> 83714
>
> The question is: why access all entries in LDAP?

Don't know. This would have to be the result of a search operation, but there 
is no search code in ppolicy.c. Since ppolicy cannot be the culprit, we'll 
need to see the rest of your config to track down the issue.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: (ITS#6411) Possible bug in Overlay pPolicy
Next by Date: Re: (ITS#6411) Possible bug in Overlay pPolicy
Index(es):
- Chronological
- Thread