[Issue 9302] New: ppolicy pwdFailureTime race condition leaves acccount unlocked, violating pwdLockout policy

24 Jul 2020


      https://bugs.openldap.org/show_bug.cgi?id=9302
Issue ID: 9302
           Summary: ppolicy pwdFailureTime race condition leaves acccount
                    unlocked, violating pwdLockout policy
           Product: OpenLDAP
           Version: 2.4.50
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: ---
         Component: overlays
          Assignee: bugs@openldap.org
          Reporter: requate@univention.de
  Target Milestone: ---
Multiple concurrent ldap binds with invalid passwords against a user account
sometimes don't trigger account lockout, even though the number of failed
attempts exceeds the configured pwdLockout policy of the ppolicy overlay.
How to reproduce:
1. Configure ppolicy overlay with pwdLockout: TRUE
2. set pwdMaxFailure to some value, e.g. 5
3. Create a test user account and start just enough (or more) parallel
ldapsearch processes
   to make the account get locked, e.g. like this in bash/sh (note the
backgrounding):
for i in $(seq 6); do
  ldapsearch -x -D "uid=testuser1,$ldap_base" -w invalid >/dev/null 2>&1 &
done
4. Check relevant ppolicy attributes, like:
ldapsearch -x -H LDAPI:// -b "uid=testuser1,$ldap_base" + \
           grep -E '^(pwdFailureTime|pwdAccountLockedTime):'
This often shows no pwdAccountLockedTime but enough (or more) pwdFailureTime
values to meet the lockout policy.
-- 
You are receiving this mail because:
You are on the CC list for the issue.

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

[Issue 9302] New: ppolicy pwdFailureTime race condition leaves acccount unlocked, violating pwdLockout policy