Bug 1169974 - Account lockout attributes incorrectly updated after failed SASL Bind
Summary: Account lockout attributes incorrectly updated after failed SASL Bind
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base
Version: 6.6
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Noriko Hosoi
QA Contact: Viktor Ashirov
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-12-02 21:39 UTC by mreynolds
Modified: 2015-07-22 06:36 UTC (History)
4 users (show)

(edit)
Cause: A failed SASL bind operation, and Account Lockout enabled

Consequence: The Root DSE entry gets incorrectly updated with passwordRetryCount

Fix: Do not update the Account Lockout settings when the failed bind is a SASL bind 

Result: The root DSE entry is not modified when a SASL bind fails.
Clone Of:
(edit)
Last Closed: 2015-07-22 06:36:20 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:1326 normal SHIPPED_LIVE 389-ds-base bug fix and enhancement update 2015-07-20 17:53:07 UTC

Description mreynolds 2014-12-02 21:39:09 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/47970

When a SASL bind fails, the target DN is not set.  If password policy account lockout is configured, it attempts to update the password retry count on the dn ("") - which is the Root DSE entry, not a user entry.

This also confuses the COS plugin, and it incorrectly triggers a COS cache rebuild after the failed login.

Comment 2 mreynolds 2014-12-04 21:40:38 UTC
Fixed upstream:

Verification steps

[1]  Setup DS
[2]  Enable Account lockout

ldapmodify ...
dn: cn=config
changetype: modify
replace: passwordLockout
passwordLockout: on

[3]  Attempt a SASL BInd (this is expected to fail)

 ldapsearch -h <host> -p <port>  -b "dc=example,dc=com" -v -LLL -Y GSSAPI "uid=*" dn

[4]  Check the root DSE entry for passwordRetryCount:


 ldapsearch -b "" -s base -xLLL passwordRetryCount=* passwordRetryCount

[5]  If the entry is NOT returned, the fix is verified

Comment 4 Sankar Ramalingam 2015-03-11 13:13:13 UTC
Executed ticket47970 ticket from lib389 and the test passed. Hence, marking the bug as Verified.

Build tested:
[root@cloud-qe-14 dirsrvtests]# rpm -qa |grep -i 389-ds-base
389-ds-base-libs-1.2.11.15-52.el6.x86_64
389-ds-base-1.2.11.15-52.el6.x86_64

Few lines from Py.test...

DEBUG:lib389:Retrieving entry with [('cn=config,cn=ldbm database,cn=plugins,cn=config',)]
INFO:lib389:Retrieved entry [dn: cn=config,cn=ldbm database,cn=plugins,cn=config
nsslapd-directory: /var/lib/dirsrv/slapd-standalone/db

]
INFO:ticket47970_test:Testing Ticket 47970 - Testing that a failed SASL bind does not trigger account lockout
INFO:ticket47970_test:account lockout enabled.
INFO:ticket47970_test:passwordMaxFailure set.
INFO:ticket47970_test:SASL Bind failed as expected
INFO:ticket47970_test:Root DSE was correctly not updated
PASSED

Comment 5 errata-xmlrpc 2015-07-22 06:36:20 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1326.html


Note You need to log in before you can comment on or make changes to this bug.