Bug 1169974
Summary: | Account lockout attributes incorrectly updated after failed SASL Bind | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | mreynolds |
Component: | 389-ds-base | Assignee: | Noriko Hosoi <nhosoi> |
Status: | CLOSED ERRATA | QA Contact: | Viktor Ashirov <vashirov> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6.6 | CC: | jgalipea, nkinder, rmeggins, sramling |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | 389-ds-base-1.2.11.15-51.el6 | Doc Type: | Bug Fix |
Doc Text: |
Cause: A failed SASL bind operation, and Account Lockout enabled
Consequence: The Root DSE entry gets incorrectly updated with passwordRetryCount
Fix: Do not update the Account Lockout settings when the failed bind is a SASL bind
Result: The root DSE entry is not modified when a SASL bind fails.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2015-07-22 06:36:20 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
mreynolds
2014-12-02 21:39:09 UTC
Fixed upstream: Verification steps [1] Setup DS [2] Enable Account lockout ldapmodify ... dn: cn=config changetype: modify replace: passwordLockout passwordLockout: on [3] Attempt a SASL BInd (this is expected to fail) ldapsearch -h <host> -p <port> -b "dc=example,dc=com" -v -LLL -Y GSSAPI "uid=*" dn [4] Check the root DSE entry for passwordRetryCount: ldapsearch -b "" -s base -xLLL passwordRetryCount=* passwordRetryCount [5] If the entry is NOT returned, the fix is verified Executed ticket47970 ticket from lib389 and the test passed. Hence, marking the bug as Verified. Build tested: [root@cloud-qe-14 dirsrvtests]# rpm -qa |grep -i 389-ds-base 389-ds-base-libs-1.2.11.15-52.el6.x86_64 389-ds-base-1.2.11.15-52.el6.x86_64 Few lines from Py.test... DEBUG:lib389:Retrieving entry with [('cn=config,cn=ldbm database,cn=plugins,cn=config',)] INFO:lib389:Retrieved entry [dn: cn=config,cn=ldbm database,cn=plugins,cn=config nsslapd-directory: /var/lib/dirsrv/slapd-standalone/db ] INFO:ticket47970_test:Testing Ticket 47970 - Testing that a failed SASL bind does not trigger account lockout INFO:ticket47970_test:account lockout enabled. INFO:ticket47970_test:passwordMaxFailure set. INFO:ticket47970_test:SASL Bind failed as expected INFO:ticket47970_test:Root DSE was correctly not updated PASSED Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-1326.html |