[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: (ITS#7228) Authentication Problem When Using PPolicy and Chaining

To: openldap-its@OpenLDAP.org
Subject: RE: (ITS#7228) Authentication Problem When Using PPolicy and Chaining
From: Jong.Limb@dss.virginia.gov
Date: Thu, 5 Apr 2012 15:33:01 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

I believe the test is incorrect.  Near the bottom of the script, there
is this section of code:

$LDAPSEARCH -H $URI2 -D "$USER" -w wrongpw >$SEARCHOUT 2>&1
$LDAPSEARCH -H $URI1 -D "$MANAGERDN" -w $PASSWD -b "$USER" \* \+ >>
$SEARCHOUT 2>&1
COUNT=`grep "pwdFailureTime" $SEARCHOUT | wc -l`
echo "jkl 13"
if test $COUNT != 1 ; then
        echo "Policy state forwarding failed"
        test $KILLSERVERS != no && kill -HUP $KILLPIDS
        exit 1
fi

The first LDAPSEARCH should have its return code checked, and for an
incorrect password, it should be 49.  If the script is modified to check
for 49 and fail otherwise, it will fail.

Unfortunately, I am not in a position to use a newer version of
OpenLDAP, but I will build it and run the tests to see if the problem
exists there as well.

I will report back with my findings.

Jong Limb
Division of Information Systems
Virginia Department of Social Services
804-726-7823


-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com] 
Sent: Thursday, April 05, 2012 10:17 AM
To: Limb, Jong (VDSS)
Cc: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7228) Authentication Problem When Using PPolicy and
Chaining

jong.limb@dss.virginia.gov wrote:
> Full_Name: Jong K. Limb
> Version: 2.4.23
> OS: RHEL 5.3
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (166.67.66.5)
>
>
> I have the following setup:
> - Provider LDAP server used only by those applications that change
passwords
> - Consumer LDAP servers used by all applications that want to
authenticate
> users
> - The provider and consumers have password policy configured so that
the
> accounts lock after 3 failed attempts
> - In order to maintain synchronization of failed login attempts across
all
> consumers, I also enabled chaining from the consumers to the master
>
> If an attempt is made to authenticate against the consumer with an
invalid
> password (for example, using ldapsearch), the pwdFailureTime attribute
is
> added/updated on the provider and eventually synced to the consumer,
but the
> operation succeeds when it should not have.
>
> If I remove the password policy overlay (leaving all other
configuration the
> same) and run ldapsearch with an invalid password against a consumer,
the
> operation will fail with invalid credentials as it should.
>
> I have done a little debugging, and it looks like the response that
gets
> returned to the client is the response to the modify operation that
the consumer
> makes to the provider to add/update the pwdFailureTime attribute, and
not the
> response to the bind operation.  The modify operation is successful
here, so the
> client continues on with the search or other operation.

Unable to confirm this. Note that this is tested explicitly in test022
of the 
test suite, and no such behavior occurs there.

You're running a pretty old release, perhaps you should update.
Regardless, 
unless you can provide more details to reproduce this situation, this
ITS will 
be closed.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: (ITS#7226) olcAuditlogFile At dos not accept multiple values
Next by Date: RE: (ITS#7228) Authentication Problem When Using PPolicy and Chaining
Index(es):
- Chronological
- Thread