Bug 1170709

Summary: Account lockout attributes incorrectly updated after failed SASL Bind
Product: Red Hat Enterprise Linux 7 Reporter: mreynolds
Component: 389-ds-baseAssignee: Noriko Hosoi <nhosoi>
Status: CLOSED ERRATA QA Contact: Viktor Ashirov <vashirov>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: amsharma, nkinder, rmeggins
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.3.1-10.el7 Doc Type: Bug Fix
Doc Text:
Cause: A failed SASL bind operation, and Account Lockout enabled Consequence: The Root DSE entry gets incorrectly updated with passwordRetryCount Fix: Do not update the Account Lockout settings when the failed bind is a SASL bind Result: The root DSE entry is not modified when a SASL bind fails.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 09:39:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description mreynolds 2014-12-04 16:23:57 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/47970

When a SASL bind fails, the target DN is not set.  If password policy account lockout is configured, it attempts to update the password retry count on the dn ("") - which is the Root DSE entry, not a user entry.

This also confuses the COS plugin, and it incorrectly triggers a COS cache rebuild after the failed login.
Comment 1 mreynolds 2014-12-04 21:41:07 UTC 
Fixed upstream:

Verification steps

[1]  Setup DS
[2]  Enable Account lockout

ldapmodify ...
dn: cn=config
changetype: modify
replace: passwordLockout
passwordLockout: on

[3]  Attempt a SASL BInd (this is expected to fail)

 ldapsearch -h <host> -p <port>  -b "dc=example,dc=com" -v -LLL -Y GSSAPI "uid=*" dn

[4]  Check the root DSE entry for passwordRetryCount:


 ldapsearch -b "" -s base -xLLL passwordRetryCount=* passwordRetryCount

[5]  If the entry is NOT returned, the fix is verified
Comment 3 Amita Sharma 2014-12-26 12:59:48 UTC 
[root@dhcp201-126 pwpolicy]# ldapmodify -D "cn=directory manager" -w Secret123 -p 389 -h localhost << EOF
> dn: cn=config
> changetype: modify
> replace: passwordLockout
> passwordLockout: on
> EOF
modifying entry "cn=config"

[root@dhcp201-126 pwpolicy]# ldapsearch -h localhost -p 389  -b "dc=example,dc=com" -v -LLL -Y GSSAPI "uid=*" dn
ldap_initialize( ldap://localhost:389 )
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
	additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No Kerberos credentials available)
[root@dhcp201-126 pwpolicy]# ldapsearch -b "" -s base -xLLL passwordRetryCount=* passwordRetryCount
[root@dhcp201-126 pwpolicy]# 

Hence VERIFIED
Comment 5 errata-xmlrpc 2015-03-05 09:39:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0416.html