ppolicy and ACLs of pwdAccountLockedTime?

[Jiri Bohac <jbohac@jikos.cz>]

Hi,

I am having troubles making the ppolicy overlay to prevent password
guessing attacks with pwdLockout with slapd-2.4.11-1 in Debian Lenny.

I set pwdMaxFailure to 3. In the user object I am testing with, I never get
more than two entries for pwdFailureTime and pwdAccountLockedTime is never
added at all.

I tracked the problem down to the ACL settings in slapd.conf. With my default
	access to *
		by dn="cn=admin,dc=example,dc=net" write
		by * read
, I get the above result. When I rewrite the last line to "by * write", it works.

The pwdFailureTime is updated, because it is defined as
NO-USER-MODIFICATION, which bypasses te ACL checks for write.
The problem happens when pwdMaxFailure failed logins are reached,
and ppolicy.c tries to update pwdFailureTime and pwdAccountLockedTime
in a single request.

How is this supposed to work? 
- Shouldn't pwdAccountLockedTime also be defined with NO-USER-MODIFICATION?

- couldn't the update request in ppolicy.c be executed with higher
  privileges? I tried to set up an non-anonymous bind in
  pam_ldap but this did not help. 

- is there some recommended ACL setting to  grant the necessary privileges so that
  ppolicy.c can update pwdAccountLockedTime, but users can't?
  I am a splapd newbie, so maybe I don't see something obvious, but in
  the log below, I see: "acl_mask: to all values by "", (=0)" -- that
  looks like an anonymous bind, right? Allowing write for the 
  pwdAccountLockedTime attribute to anyone does not seem a good idea ;-)



Thanks for any insight!


Jiri



P.S.: some detailed notes from my debugging are attached below:

I am authenticating with pam-ldap. When I mis-type the password
of a user and do a search on the user object (with a +, to see
the operational attributes), the pwdFailureTime is created.  This
is good.

When I preform the bad login again, I get a second value for
pwdFailureTime. Still good.

But on the next login, instead of getting a third value for
pwdFailureTime and an updated value for pwdAccountLockedTime, nothing
happens. I put some more debug info into ppolicy_bind_response() like
this:

-----
		 * We only count those failures
		 * which are not due to expire.
		 */
		Debug(LDAP_DEBUG_ANY, "xxx: counting pwdFailureTime %i/%d\n", i, fc, 0);
	}
}
if ((ppb->pp.pwdMaxFailure > 0) &&
	(fc >= ppb->pp.pwdMaxFailure - 1)) {
	Debug(LDAP_DEBUG_ANY, "xxx: trying to insert pwdAccountLockedTime\n", 0, 0, 0);
-----

... in the logs (with loglevel 65535), I really see:

------
Aug  8 00:05:42 localhost slapd[15416]: xxx: counting pwdFailureTime 0/1
Aug  8 00:05:42 localhost slapd[15416]: xxx: counting pwdFailureTime 1/2
Aug  8 00:05:42 localhost slapd[15416]: xxx: trying to insert pwdAccountLockedTime
[snip]
Aug  8 00:05:42 localhost slapd[15416]: => access_allowed: delete access to "uid=j.bohac,ou=users,dc=example,dc=net" "pwdAccountLockedTime" requested
Aug  8 00:05:42 localhost slapd[15416]: => acl_get: [2] attr pwdAccountLockedTime
Aug  8 00:05:42 localhost slapd[15416]: => slap_access_allowed: result not in cache (pwdAccountLockedTime)
Aug  8 00:05:42 localhost slapd[15416]: => acl_mask: access to entry "uid=j.bohac,ou=users,dc=example,dc=net", attr "pwdAccountLockedTime" requested
Aug  8 00:05:42 localhost slapd[15416]: => acl_mask: to all values by "", (=0) 
Aug  8 00:05:42 localhost slapd[15416]: <= check a_dn_pat: cn=admin,dc=example,dc=net
Aug  8 00:05:42 localhost slapd[15416]: <= check a_dn_pat: *
Aug  8 00:05:42 localhost slapd[15416]: <= acl_mask: [2] applying read(=rscxd) (stop)
Aug  8 00:05:42 localhost slapd[15416]: <= acl_mask: [2] mask: read(=rscxd)
Aug  8 00:05:42 localhost slapd[15416]: => slap_access_allowed: delete access denied by read(=rscxd)
Aug  8 00:05:42 localhost slapd[15416]: => access_allowed: no more rules
------