Red Hat Bugzilla – Bug 834060
passwordMaxFailure should lockout password one sooner - and should be configurable to avoid regressions
Last modified: 2013-02-21 03:19:33 EST
This bug is created as a clone of upstream ticket: https://fedorahosted.org/389/ticket/183 https://bugzilla.redhat.com/show_bug.cgi?id=740527 {{{ Description of problem: The revocation error process is triggered not when maximum number of tries is reached but the next time after. This seems to have changed in Sun DS 6 and is considered the right behaviour and is required by customer applications. Example: say we configure 3 tries maximum for revocation, the flow is the following: 1st try: Invalid password 2nd try: Invalid password 3rd try: Invalid password 4th try and next : Revoked password Version-Release number of selected component (if applicable): 8.2 How reproducible: Always. Steps to Reproduce: 1. Define maximum number of login tries to 3 2. Login with wrong password until password is revoked 3. Actual results: 1st try: Invalid password 2nd try: Invalid password 3rd try: Invalid password 4th try and next : Revoked password Expected results: 1st try: Invalid password 2nd try: Invalid password 3rd try and next : Revoked password Additional info: }}}
*** Bug 740527 has been marked as a duplicate of this bug. ***
This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux.
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development. This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.
bug834060 in pwpolicy/pwdpolicy.sh
Steps to verify: 1) Enable password lockout: ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w password << EOF dn: cn=config changetype: modify replace: passwordLockout passwordLockout: on EOF 2) Set password max failure to 3: ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w password << EOF dn: cn=config changetype: modify replace: passwordMaxFailure passwordMaxFailure: 3 EOF 3) Set passwordLegacyPolicy to off: ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w password << EOF dn: cn=config changetype: modify replace: passwordLegacyPolicy passwordLegacyPolicy: off EOF 4) Add user: ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w password << EOF dn: $MYDN objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: test user0 sn: user0 givenName: test userPassword: password EOF 5) Try to bind 2 times with incorrect password and check that return code is 49: ldapsearch -h localhost -p 22222 -D "$MYDN" -w "invalidPassword" -b "$BASE" "uid=$MYUID" echo $? 49 $LDAPSEARCH -h $LDAPhost -p $LDAPport -D "$MYDN" -w "invalidPassword" -b "$BASE" "uid=$MYUID" echo $? 49 6) Try to bind third time with incorrect password: $LDAPSEARCH -h $LDAPhost -p $LDAPport -D "$MYDN" -w "invalidPassword" -b "$BASE" "uid=$MYUID" echo $? 19 [jrusnack@dstet 6.0]$ rpm -qa | grep 389 389-ds-base-1.2.11.15-2.el6.x86_64 Verified
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0503.html