Bug 1497761

Summary: Incorrect password tries to bind to all domain controllers and locks user out
Product: Red Hat Enterprise Linux 7 Reporter: aheverle
Component: nss-pam-ldapdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.4CC: jhrozek, omoris, pkis
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: nss-pam-ldapd-0.8.13-11.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 17:24:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description aheverle 2017-10-02 15:31:31 UTC 
When using multiple uri or a SRV DNS based record to connect to ldap on nslcd.conf and when a user types a wrong password a login, the nslcd deamon tries to bind to all domain controllers with this bad credential one after the other following the list servers. This triggers our account lockout policy. 

This behavior has been patched upstream 

https://arthurdejong.org/git/nss-pam-ldapd/commit/?id=d8ad7b127363d6d73ab1de6796886fda5eb07054

It has been released as the 0.9.8 package.

Could you backport this fix to the version provided in CentOS 7 / RHEL 7?

We've proven that we could compile a RPM using the newest version 0.9.8 and fix this issue but we would prefer RedHat to backport the fix into a supported package.


We're trying to migrate from winbind to nslcd, except this behavior everything works fine. backporting this fix to redhat would be greatly appreciated.
Comment 2 Jakub Hrozek 2017-10-02 15:34:20 UTC 
We do plan on updating nss_pam_ldapd in 7.5, therefore devel_ack.

Thank you for pointing out the upstream commit.
Comment 6 Ondrej Moriš 2018-01-09 17:24:52 UTC 
Successfully reproduced and verified on all supported architectures except ppc64le on RHEL-ALT.

OLD (nss-pam-ldapd-0.8.13-8.el7)
================================
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

# Sanity check.
:: [   PASS   ] :: Command 'getent passwd ldapuser' (Expected 0, got 0)

# SSH with correct password, only first server should be queried!
:: [   PASS   ] :: Command 'ssh_cmd ldapuser x whoami' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/ldap-test-server1/slapd.log' should contain 'BIND dn="uid=ldapuser,dc=my-domain,dc=com" method=128' 
:: [   PASS   ] :: File '/tmp/ldap-test-server2/slapd.log' should not contain 'BIND dn="uid=ldapuser,dc=my-domain,dc=com" method=128' 
:: [   PASS   ] :: File '/tmp/ldap-test-server3/slapd.log' should not contain 'BIND dn="uid=ldapuser,dc=my-domain,dc=com" method=128' 

# Clean logs for further testing.
:: [   PASS   ] :: Command 'echo '' >/tmp/ldap-test-server1/slapd.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'echo '' >/tmp/ldap-test-server2/slapd.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'echo '' >/tmp/ldap-test-server3/slapd.log' (Expected 0, got 0)

# SSH with incorrect password to hit the issue, only first server should be queried!
:: [   PASS   ] :: Command 'ssh_cmd ldapuser y whoami' (Expected 2, got 2)
:: [   PASS   ] :: File '/tmp/ldap-test-server1/slapd.log' should contain 'BIND dn="uid=ldapuser,dc=my-domain,dc=com" method=128' 
:: [   FAIL   ] :: File '/tmp/ldap-test-server2/slapd.log' should not contain 'BIND dn="uid=ldapuser,dc=my-domain,dc=com" method=128' 
:: [   FAIL   ] :: File '/tmp/ldap-test-server3/slapd.log' should not contain 'BIND dn="uid=ldapuser,dc=my-domain,dc=com" method=128' 

:: [   LOG    ] :: Duration: 11s
:: [   LOG    ] :: Assertions: 10 good, 2 bad
:: [   FAIL   ] :: RESULT: Test

NEW (nss-pam-ldapd-0.8.13-16.el7)
=================================
:: [   PASS   ] :: Command 'getent passwd ldapuser' (Expected 0, got 0)
:: [   PASS   ] :: Command 'ssh_cmd ldapuser x whoami' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/ldap-test-server1/slapd.log' should contain 'BIND dn="uid=ldapuser,dc=my-domain,dc=com" method=128' 
:: [   PASS   ] :: File '/tmp/ldap-test-server2/slapd.log' should not contain 'BIND dn="uid=ldapuser,dc=my-domain,dc=com" method=128' 
:: [   PASS   ] :: File '/tmp/ldap-test-server3/slapd.log' should not contain 'BIND dn="uid=ldapuser,dc=my-domain,dc=com" method=128' 
:: [   PASS   ] :: Command 'echo '' >/tmp/ldap-test-server1/slapd.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'echo '' >/tmp/ldap-test-server2/slapd.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'echo '' >/tmp/ldap-test-server3/slapd.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'ssh_cmd ldapuser y whoami' (Expected 2, got 2)
:: [   PASS   ] :: File '/tmp/ldap-test-server1/slapd.log' should contain 'BIND dn="uid=ldapuser,dc=my-domain,dc=com" method=128' 
:: [   PASS   ] :: File '/tmp/ldap-test-server2/slapd.log' should not contain 'BIND dn="uid=ldapuser,dc=my-domain,dc=com" method=128' 
:: [   PASS   ] :: File '/tmp/ldap-test-server3/slapd.log' should not contain 'BIND dn="uid=ldapuser,dc=my-domain,dc=com" method=128' 
:: [   LOG    ] :: Duration: 12s
:: [   LOG    ] :: Assertions: 12 good, 0 bad
:: [   PASS   ] :: RESULT: Test

For more details see TCMS TC and RHEL-7.5.0 errata test plan runs.
Comment 9 errata-xmlrpc 2018-04-10 17:24:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0935