1497761 – Incorrect password tries to bind to all domain controllers and locks user out

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1497761 - Incorrect password tries to bind to all domain controllers and locks user out

Summary: Incorrect password tries to bind to all domain controllers and locks user out

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	nss-pam-ldapd
Sub Component:
Version:	7.4
Hardware:	All
OS:	All
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Jakub Hrozek
QA Contact:	Ondrej Moriš
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-10-02 15:31 UTC by aheverle
Modified:	2021-06-10 13:10 UTC (History)
CC List:	3 users (show)
Fixed In Version:	nss-pam-ldapd-0.8.13-11.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-10 17:24:59 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:0935	0	None	None	None	2018-04-10 17:25:33 UTC

Description aheverle 2017-10-02 15:31:31 UTC

When using multiple uri or a SRV DNS based record to connect to ldap on nslcd.conf and when a user types a wrong password a login, the nslcd deamon tries to bind to all domain controllers with this bad credential one after the other following the list servers. This triggers our account lockout policy. 

This behavior has been patched upstream 

https://arthurdejong.org/git/nss-pam-ldapd/commit/?id=d8ad7b127363d6d73ab1de6796886fda5eb07054

It has been released as the 0.9.8 package.

Could you backport this fix to the version provided in CentOS 7 / RHEL 7?

We've proven that we could compile a RPM using the newest version 0.9.8 and fix this issue but we would prefer RedHat to backport the fix into a supported package.


We're trying to migrate from winbind to nslcd, except this behavior everything works fine. backporting this fix to redhat would be greatly appreciated.

Comment 2 Jakub Hrozek 2017-10-02 15:34:20 UTC

We do plan on updating nss_pam_ldapd in 7.5, therefore devel_ack.

Thank you for pointing out the upstream commit.

Comment 6 Ondrej Moriš 2018-01-09 17:24:52 UTC

Successfully reproduced and verified on all supported architectures except ppc64le on RHEL-ALT.

OLD (nss-pam-ldapd-0.8.13-8.el7)
================================
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

# Sanity check.
:: [   PASS   ] :: Command 'getent passwd ldapuser' (Expected 0, got 0)

# SSH with correct password, only first server should be queried!
:: [   PASS   ] :: Command 'ssh_cmd ldapuser x whoami' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/ldap-test-server1/slapd.log' should contain 'BIND dn="uid=ldapuser,dc=my-domain,dc=com" method=128' 
:: [   PASS   ] :: File '/tmp/ldap-test-server2/slapd.log' should not contain 'BIND dn="uid=ldapuser,dc=my-domain,dc=com" method=128' 
:: [   PASS   ] :: File '/tmp/ldap-test-server3/slapd.log' should not contain 'BIND dn="uid=ldapuser,dc=my-domain,dc=com" method=128' 

# Clean logs for further testing.
:: [   PASS   ] :: Command 'echo '' >/tmp/ldap-test-server1/slapd.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'echo '' >/tmp/ldap-test-server2/slapd.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'echo '' >/tmp/ldap-test-server3/slapd.log' (Expected 0, got 0)

# SSH with incorrect password to hit the issue, only first server should be queried!
:: [   PASS   ] :: Command 'ssh_cmd ldapuser y whoami' (Expected 2, got 2)
:: [   PASS   ] :: File '/tmp/ldap-test-server1/slapd.log' should contain 'BIND dn="uid=ldapuser,dc=my-domain,dc=com" method=128' 
:: [   FAIL   ] :: File '/tmp/ldap-test-server2/slapd.log' should not contain 'BIND dn="uid=ldapuser,dc=my-domain,dc=com" method=128' 
:: [   FAIL   ] :: File '/tmp/ldap-test-server3/slapd.log' should not contain 'BIND dn="uid=ldapuser,dc=my-domain,dc=com" method=128' 

:: [   LOG    ] :: Duration: 11s
:: [   LOG    ] :: Assertions: 10 good, 2 bad
:: [   FAIL   ] :: RESULT: Test

NEW (nss-pam-ldapd-0.8.13-16.el7)
=================================
:: [   PASS   ] :: Command 'getent passwd ldapuser' (Expected 0, got 0)
:: [   PASS   ] :: Command 'ssh_cmd ldapuser x whoami' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/ldap-test-server1/slapd.log' should contain 'BIND dn="uid=ldapuser,dc=my-domain,dc=com" method=128' 
:: [   PASS   ] :: File '/tmp/ldap-test-server2/slapd.log' should not contain 'BIND dn="uid=ldapuser,dc=my-domain,dc=com" method=128' 
:: [   PASS   ] :: File '/tmp/ldap-test-server3/slapd.log' should not contain 'BIND dn="uid=ldapuser,dc=my-domain,dc=com" method=128' 
:: [   PASS   ] :: Command 'echo '' >/tmp/ldap-test-server1/slapd.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'echo '' >/tmp/ldap-test-server2/slapd.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'echo '' >/tmp/ldap-test-server3/slapd.log' (Expected 0, got 0)
:: [   PASS   ] :: Command 'ssh_cmd ldapuser y whoami' (Expected 2, got 2)
:: [   PASS   ] :: File '/tmp/ldap-test-server1/slapd.log' should contain 'BIND dn="uid=ldapuser,dc=my-domain,dc=com" method=128' 
:: [   PASS   ] :: File '/tmp/ldap-test-server2/slapd.log' should not contain 'BIND dn="uid=ldapuser,dc=my-domain,dc=com" method=128' 
:: [   PASS   ] :: File '/tmp/ldap-test-server3/slapd.log' should not contain 'BIND dn="uid=ldapuser,dc=my-domain,dc=com" method=128' 
:: [   LOG    ] :: Duration: 12s
:: [   LOG    ] :: Assertions: 12 good, 0 bad
:: [   PASS   ] :: RESULT: Test

For more details see TCMS TC and RHEL-7.5.0 errata test plan runs.

Comment 9 errata-xmlrpc 2018-04-10 17:24:59 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0935

Note You need to log in before you can comment on or make changes to this bug.