[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8762) Unlocking an account doesn't remove pwdFailureTime

To: openldap-its@OpenLDAP.org
Subject: (ITS#8762) Unlocking an account doesn't remove pwdFailureTime
From: mihai.munteanu@thalesgroup.com
Date: Fri, 27 Oct 2017 07:48:02 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Mihai Munteanu
Version: 2.4.44
OS: CentOS7 x64
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (86.12.190.162)


Scenario: 
0. we have configured that after 3 login failed attempts, the account to be
locked.
1. user test1 fails to login 3 times -> account is locked
2. admin unlocks test1's account and notify test1 user
3. user test1 tries 1 time to login using a wrong password and gets his account
locked again.
Expectation here: account should not be locked after first attempt of a wrong
password, but after third attempt, as it was the case on step 1. 
It turns out that it is locked again after first attempt due to the fact that on
step 2, only pwdAccountLockedTime field is removed from LDAP, but not also
pwdFailureTime fields.
It seems pwdFailureTime is internally cleared only:
- when test1 successfully authenticate (having his account unlocked)
- admin changes test1's password

See below my details:
$>ldapsearch -x -b "cn=test1,ou=users,dc=thales,dc=com" +
...
pwdChangedTime: 20171027043554Z
pwdFailureTime: 20171027052019.225837Z
pwdFailureTime: 20171027052021.776604Z
pwdFailureTime: 20171027052024.436413Z
pwdAccountLockedTime: 20171027052024Z
entryCSN: 20171027055105.381686Z#000000#000#000000
...

$>cat unlock.ldif:
dn: cn=test1,ou=users,dc=thales,dc=com
changetype: modify
delete: pwdAccountLockedTime
-
delete: pwdFailureTime


$>ldapmodify -x -W -D "cn=admin,ou=users,dc=thales,dc=com" -f unlock.ldif
Enter LDAP Password: 
modifying entry "cn=test1,ou=users,dc=thales,dc=com"
ldap_modify: Constraint violation (19)
	additional info: pwdFailureTime: no user modification allowed

$>cat unlock.ldif
dn: cn=test1,ou=users,dc=thales,dc=com
changetype: modify
delete: pwdAccountLockedTime

$>ldapmodify -x -W -D "cn=jamessmith,ou=users,dc=thales,dc=com" -f unlock.ldif
Enter LDAP Password: 
modifying entry "cn=test1,ou=users,dc=thales,dc=com"

$>ldapsearch -x -b "cn=test1,ou=users,dc=thales,dc=com" +
...
pwdChangedTime: 20171027043554Z
pwdFailureTime: 20171027052019.225837Z
pwdFailureTime: 20171027052021.776604Z
pwdFailureTime: 20171027052024.436413Z
entryCSN: 20171027055105.381686Z#000000#000#000000
...

Result: pwdAccountLockedTime is removed but pwdFailureTime is not automatically
removed also.
Expected: since I'm not allowed to remove pwdFailureTime I would expect to be
automatically removed via removal of pwdAccountLockedTime.

Prev by Date: Re: (ITS#8760) LMDB: seg fault on opening a new database
Next by Date: Re: (ITS#8762) Unlocking an account doesn't remove pwdFailureTime
Index(es):
- Chronological
- Thread