Bug 1130316
Summary: | IPA account is not locked when max failures are exceeded for GSSAPI | ||
---|---|---|---|
Product: | [oVirt] ovirt-engine-extension-aaa-ldap | Reporter: | Ondra Machacek <omachace> |
Component: | Profile.ipa | Assignee: | Alon Bar-Lev <alonbl> |
Status: | CLOSED WORKSFORME | QA Contact: | Ondra Machacek <omachace> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 1.0.0 | CC: | bazulay, bugs, dpal, ecohen, gklein, iheim, omachace, oourfali, yzaslavs |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | infra | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-09-01 08:19:46 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1063095 |
Description
Ondra Machacek
2014-08-14 20:30:16 UTC
this cannot be a bug in the client... but the server... in this case ipa. server cannot be expected that the client takes care of user locking... or it is totally insecure. same can probably introduced using simple kinit. also, please try to push back testing of kerberos, it is not priority at all, priority is plain ldap. Itamar Heim 2014-08-17 06:27:23 EDT Target Release: --- → 3.5.0 not our bug. 0. using kerberos is not a priority for the generic ldap. 1. please do not use sequences for system properties settings but /etc/ovirt-engine/engine.conf.d/xxx.conf::ENGINE_PROPERTIES 2. pool.default.auth.type = gssapi is sufficient, no need for the other settings. 3. there are other variables that are needed to be set in order to have successful kerberos configuration, I will send you these. The subject is misleading, it is not related to ipa specific as no authentication is actually done per what you wrote me. ok, I am beginning to understand what you have done... you try to use locked user as search user... what I am guessing happens is that the when bind fails it remains in anonymous bind, and as anonymous bind can access all objects you have full functionality. however, using: vars.user = my_test vars.password = fake pool.authz.auth.type = gssapi at initialization I get: 2014-08-19 17:11:01,467 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (DefaultQuartzScheduler_Worker-34) Exception during sequence: LDAPException(resultCode=32 (no such object), errorMessage='no such object') at com.unboundid.ldap.sdk.LDAPConnection.bind(LDAPConnection.java:2178) [unboundid-ldapsdk.jar:2.3.7] 2014-08-19 17:11:01,482 ERROR [org.ovirt.engine.core.bll.aaa.SyncUsers] (DefaultQuartzScheduler_Worker-34) Error during user synchronization of extension ldap-authz-ipa1. Exception message is no such object at authentication I get: 2014-08-19 17:30:02,131 ERROR [org.ovirt.engine.core.bll.aaa.SyncUsers] (DefaultQuartzScheduler_Worker-34) Error during user synchronization of extension ldap-authz-ipa1. Exception message is An error occurred while attempting to initialize the JAAS login context for GSSAPI authentication: javax.security.auth.login.LoginException: Integrity check on decrypted field failed (31) - PREAUTH_FAILED caused by KrbException: Integrity check on decrypted field failed (31) - PREAUTH_FAILED caused by KrbException: Identifier doesn't match expected value (906) so I cannot reproduce this using locked user. now... a configuration in which a end user is authenticated using gssapi is completely different... you should add the following to configuration: auth-check.ad-authn.auth.type = gssapi then with latest extension (7d503c) add the following into the authn extension properties file: config.globals.bindFormat.simple_bindFormat = realm there is no much sense in using gssapi to authenticate end-users as the ldap plays no part in authentication, better to implement gssapi authn extension to do so, get the user principal and use the ldap authz. this is why kerberos is last priority. ok, I think the problem is you did not set: pool.authz.auth.type = gssapi Ondra - can you verify that? until issue cannot be determined, priority cannot be high nor target release can be set. Works fine with: auth-check.default.auth.type = gssapi pool.authz.auth.gssapi.authenticationID = lock_test pool.authz.auth.gssapi.password = change account is locked. |