Bug 1085529

Summary: RHEV-M server appears to send the bad authentication to the AD server repeatedly, locking the account.
Product: Red Hat Enterprise Virtualization Manager Reporter: Michael Everette <meverett>
Component: ovirt-engineAssignee: Yair Zaslavsky <yzaslavs>
Status: CLOSED ERRATA QA Contact: Ondra Machacek <omachace>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 3.3.0CC: aberezin, acathrow, akotov, anande, iheim, lpeer, meverett, omachace, oourfali, pstehlik, Rhev-m-bugs, tpoitras, yeylon, yzaslavs
Target Milestone: ---   
Target Release: 3.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: infra
Fixed In Version: org.ovirt.engine-root-3.4.0-14 Doc Type: Bug Fix
Doc Text:
Previously, if a user entered an incorrect password on the User Portal, the RHEV-M server sent the bad authentication to the Active Directory server repeatedly. This caused the account to be locked. After fixing this issue, an incorrect password is only sent once.
 Story Points: ---
Clone Of:
: 1088123 (view as bug list) Environment:
Last Closed: 2014-06-09 15:06:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1088123    

Description Michael Everette 2014-04-08 20:26:03 UTC 
Description of problem:

After upgrading from 3.2 to 3.3.1 if a user enters an incorrect password on the User Portal, the RHEV-M server appears to send the bad authentication to the AD server repeatedly, locking the account.

Version-Release number of selected component (if applicable):

rhevm-3.3.1-0.48.el6ev.noarch

How reproducible:



Steps to Reproduce:
1. provide incorrect password when attempting to authenticate


Actual results:

user is locked out due to multiple attempts:

CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE_ACCOUNT_IS_LOCKED_OR_DISABLED


Expected results:

should fail once and allow for new attempt:

CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE
Comment 3 Yair Zaslavsky 2014-04-10 10:04:33 UTC 
It can be seen that there is an attempt to query multiple ldap servers.

Can you provide us dig SRV _ldap._tcp.<DOMAIN> 

and dig SRV _kerberos._tcp.<DOMAIN>

where <DOMAIN> is the DNS domain?

I would like to verify that.


Many thanks!
Comment 16 Ondra Machacek 2014-04-30 10:58:48 UTC 
Shouldn't be tried next ldap server for invalid username? Currently it's not.

Authentication Failed. Client not found in kerberos database.
2014-04-30 12:11:19,019 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp-/127.0.0.1:8702-4) Failed ldap search server LDAP://dc-02.ad2.rhev.lab.eng.brq.redhat.com:389 using user aaa.LAB.ENG.BRQ.REDHAT.COM due to Authentication Failed. Client not found in kerberos database.. We should not try the next server

For bad password it just try one server and stop. Thus moving to verified.
Comment 17 errata-xmlrpc 2014-06-09 15:06:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2014-0506.html
Comment 18 Red Hat Bugzilla 2023-09-14 02:06:03 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days