912725 – LDAP account lockout inconsistency

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 912725 - LDAP account lockout inconsistency

Summary: LDAP account lockout inconsistency

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	Michael Gregg
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1088772
TreeView+	depends on / blocked

Reported:	2013-02-19 14:08 UTC by Dmitri Pal
Modified:	2019-04-16 14:01 UTC (History)
CC List:	5 users (show)
Fixed In Version:	ipa-3.3.3-17.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1088772 (view as bug list)
Environment:
Last Closed:	2014-06-13 10:56:15 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Dmitri Pal 2013-02-19 14:08:05 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3433

If an account is locked due max no. of incorrect logins, krb5 server refuses auth for that user, but ldap accepts the user password.

{{{
# kinit kaushik
kinit: Clients credentials have been revoked while getting initial
credentials 

# ldapsearch -x -LLL -b "dc=testrelm,dc=com" -D
"uid=kaushik,cn=users,cn=accounts,dc=testrelm,dc=com" -W
Enter LDAP Password:
dn: cn=compat,dc=testrelm,dc=com
objectClass: extensibleObject
cn: compat
...
}}}

There appear to be two bugs:

A copy-and-paste error related to admin unlock:

{{{
@@ -705,7 +705,7 @@ static int ipalockout_preop(Slapi_PBlock *pb)
              time_t unlock;

              memset(&tm, 0, sizeof(struct tm));
-            res = sscanf(lastfail,
+            res = sscanf(unlock_time,
                           "%04u%02u%02u%02u%02u%02u",
                           &tm.tm_year, &tm.tm_mon, &tm.tm_mday,
                           &tm.tm_hour, &tm.tm_min, &tm.tm_sec);
}}}

And an off-by-one error allowing LDAP one more bite at the apple:

{{{
                           &tm.tm_hour, &tm.tm_min, &tm.tm_sec);
@@ -736,7 +736,7 @@ static int ipalockout_preop(Slapi_PBlock *pb)
          goto done;
      }

-    if (failedcount > max_fail) {
+    if (failedcount >= max_fail) {
          if (time_now < last_failed + lockout_duration) {
              /* Too many failures */
              LOG_TRACE("Too many failed logins. %lu out of %d\n", 
failedcount, max_fail);
}}}

Additional testing is needed to confirm these are the only two problems.

Comment 1 Rob Crittenden 2013-03-21 19:48:42 UTC

Fixed upstream.

master: 797baef1a433d14694fcb234c24828c1ad4019dc

The testing around this is really complex. I'd suggest testing these with lockout duration == 0 and  lockout duration > 0:

- ensure that the failure interval is enforced properly in both cases.
- ensure that administrative unlock unlocks both
- the max fail is calculated properly
- # of failures caps out at maxfail, and last failed is not changed once the max is met

You'll need to do all testing using ldapsearch, or a combination of them. On the kerberos side this policy is enforced by the KDC.

Comment 13 Martin Kosek 2014-01-31 07:43:49 UTC

Moving to assigned, there is a recent regression (caused by a fix in Bug 1045218) in ipa-lockout plugin which made the ipa-lockout plugin ineffective in some cases.

Comment 14 Martin Kosek 2014-02-03 07:58:43 UTC

Regression fixed upstream:

master: https://fedorahosted.org/freeipa/changeset/d85e2c9a8220e5a61c8dbc205d71693e832b668a
ipa-3-3: https://fedorahosted.org/freeipa/changeset/11ebbe3f27fdf18e2578b533eb2560e9f88eeede

Comment 16 Martin Kosek 2014-02-04 11:55:42 UTC

There was a regression in ipa-lockout which did not start on clean IPA installation.

master: b351b210be4809b856915a9c63a4288ebd3c9fdf
ipa-3-3: 43070359eb267c3eb3b290f5f601e9509a63389f

Fixed in ipa-3.3.3-17.el7.

Comment 17 Michael Gregg 2014-02-24 21:03:05 UTC

Verified against ipa-server-3.3.3-18.el7.x86_64

[root@ipaqa64vmb ~]# echo bad1 | kinit fail-login
Password for fail-login: 
kinit: Password incorrect while getting initial credentials
[root@ipaqa64vmb ~]# echo bad1 | kinit fail-login
Password for fail-login: 
kinit: Password incorrect while getting initial credentials
[root@ipaqa64vmb ~]# echo bad1 | kinit fail-login
kinit: Clients credentials have been revoked while getting initial credentials
[root@ipaqa64vmb ~]# echo bad1 | kinit fail-login
kinit: Clients credentials have been revoked while getting initial credentials
[root@ipaqa64vmb ~]# echo bad1 | kinit fail-login
kinit: Clients credentials have been revoked while getting initial credentials
[root@ipaqa64vmb ~]# echo bad1 | kinit fail-login
kinit: Clients credentials have been revoked while getting initial credentials

Ldap search now fails as expected.

[root@ipaqa64vmb ~]# /usr/bin/ldapsearch -x -D "uid=fail-login,cn=users,cn=accounts,dc=testrelm,dc=test" -w 1111 -b 'uid=fail-login,cn=users,cn=accounts,dc=testrelm,dc=test' objectclass=*
ldap_bind: Server is unwilling to perform (53)
	additional info: Too many failed logins.

Comment 25 Ludek Smid 2014-06-13 10:56:15 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.