Red Hat Bugzilla – Bug 1085529
RHEV-M server appears to send the bad authentication to the AD server repeatedly, locking the account.
Last modified: 2016-02-10 14:20:58 EST
Description of problem: After upgrading from 3.2 to 3.3.1 if a user enters an incorrect password on the User Portal, the RHEV-M server appears to send the bad authentication to the AD server repeatedly, locking the account. Version-Release number of selected component (if applicable): rhevm-3.3.1-0.48.el6ev.noarch How reproducible: Steps to Reproduce: 1. provide incorrect password when attempting to authenticate Actual results: user is locked out due to multiple attempts: CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE_ACCOUNT_IS_LOCKED_OR_DISABLED Expected results: should fail once and allow for new attempt: CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE
It can be seen that there is an attempt to query multiple ldap servers. Can you provide us dig SRV _ldap._tcp.<DOMAIN> and dig SRV _kerberos._tcp.<DOMAIN> where <DOMAIN> is the DNS domain? I would like to verify that. Many thanks!
Shouldn't be tried next ldap server for invalid username? Currently it's not. Authentication Failed. Client not found in kerberos database. 2014-04-30 12:11:19,019 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp-/127.0.0.1:8702-4) Failed ldap search server LDAP://dc-02.ad2.rhev.lab.eng.brq.redhat.com:389 using user aaa@AD2.RHEV.LAB.ENG.BRQ.REDHAT.COM due to Authentication Failed. Client not found in kerberos database.. We should not try the next server For bad password it just try one server and stop. Thus moving to verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2014-0506.html