I have built and tested 2.4.30, and it works as expected. I now get invalid credentials when I hit the consumer with an incorrect password.
However, I believe that the script should still be modified to check the return code from the first ldapsearch in order to prevent something like this developing in the future.
You can close this ITS. Thanks.
Jong Limb Division of Information Systems Virginia Department of Social Services 804-726-7823
-----Original Message----- From: Limb, Jong (VDSS) Sent: Thursday, April 05, 2012 11:31 AM To: 'Howard Chu' Cc: openldap-its@OpenLDAP.org Subject: RE: (ITS#7228) Authentication Problem When Using PPolicy and Chaining
I believe the test is incorrect. Near the bottom of the script, there is this section of code:
$LDAPSEARCH -H $URI2 -D "$USER" -w wrongpw >$SEARCHOUT 2>&1 $LDAPSEARCH -H $URI1 -D "$MANAGERDN" -w $PASSWD -b "$USER" * + >> $SEARCHOUT 2>&1 COUNT=`grep "pwdFailureTime" $SEARCHOUT | wc -l` echo "jkl 13" if test $COUNT != 1 ; then echo "Policy state forwarding failed" test $KILLSERVERS != no && kill -HUP $KILLPIDS exit 1 fi
The first LDAPSEARCH should have its return code checked, and for an incorrect password, it should be 49. If the script is modified to check for 49 and fail otherwise, it will fail.
Unfortunately, I am not in a position to use a newer version of OpenLDAP, but I will build it and run the tests to see if the problem exists there as well.
I will report back with my findings.
Jong Limb Division of Information Systems Virginia Department of Social Services 804-726-7823
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Thursday, April 05, 2012 10:17 AM To: Limb, Jong (VDSS) Cc: openldap-its@OpenLDAP.org Subject: Re: (ITS#7228) Authentication Problem When Using PPolicy and Chaining
jong.limb@dss.virginia.gov wrote:
Full_Name: Jong K. Limb Version: 2.4.23 OS: RHEL 5.3 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (166.67.66.5)
I have the following setup:
- Provider LDAP server used only by those applications that change
passwords
- Consumer LDAP servers used by all applications that want to
authenticate
users
- The provider and consumers have password policy configured so that
the
accounts lock after 3 failed attempts
- In order to maintain synchronization of failed login attempts across
all
consumers, I also enabled chaining from the consumers to the master
If an attempt is made to authenticate against the consumer with an
invalid
password (for example, using ldapsearch), the pwdFailureTime attribute
is
added/updated on the provider and eventually synced to the consumer,
but the
operation succeeds when it should not have.
If I remove the password policy overlay (leaving all other
configuration the
same) and run ldapsearch with an invalid password against a consumer,
the
operation will fail with invalid credentials as it should.
I have done a little debugging, and it looks like the response that
gets
returned to the client is the response to the modify operation that
the consumer
makes to the provider to add/update the pwdFailureTime attribute, and
not the
response to the bind operation. The modify operation is successful
here, so the
client continues on with the search or other operation.
Unable to confirm this. Note that this is tested explicitly in test022 of the test suite, and no such behavior occurs there.
You're running a pretty old release, perhaps you should update. Regardless, unless you can provide more details to reproduce this situation, this ITS will be closed.