(ITS#6411) Possible bug in Overlay pPolicy - openldap-bugs

2 Dec 2009


      Full_Name: Jarbas Peixoto Junior
Version: 2.4.11 / 2.4.17 / 2.4.20
OS: Gnu/Linux Debian
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (200.152.34.143)
Possible bug in Overlay pPolicy
I have OpenLDAP installed via the Debian Lenny package functioning normally.
Aiming to test the version of Debian Squeeze in the test machine installed
package slapd (2.4.17-2.1) with the same set of Debian Lenny (2.4.11).
However, when testing the overlay pPolicy noticed that a wrong password
authentication, runs all objects in the ldap database, causing a "delay" that
does not exist in version Lenny.
Below is some information that may be useful in detecting the problem:
File: slapd.conf
====================
moduleload      ppolicy
overlay ppolicy
ppolicy_default	"cn=default,ou=LdapPassword,ou=Politicas,ou=Builtin,dc=previdencia,dc=gov,dc=br"
ppolicy_use_lockout
====================
ldapsearch -LLL -x -H ldap://squeeze -b
ou=LdapPassword,ou=Politicas,ou=Builtin,dc=previdencia,dc=gov,dc=br
'(cn=default)'
dn: cn=default,ou=LdapPassword,ou=Politicas,ou=Builtin,dc=previdencia,dc=gov,d
 c=br
objectClass: top
objectClass: device
objectClass: pwdPolicy
pwdAttribute: userPassword
description:: UG9sw610aWNhIGRlIFNlbmhhIERlZmF1bHQgcGFyYSB0b2RvcyB1c3XDoXJpb3M=
pwdAllowUserChange: TRUE
pwdFailureCountInterval: 3600
pwdGraceAuthNLimit: 5
pwdInHistory: 0
pwdLockoutDuration: 60
pwdMaxAge: 7776000
pwdMinAge: 0
pwdMinLength: 6
pwdSafeModify: FALSE
pwdCheckQuality: 1
pwdExpireWarning: 600
cn: default
pwdMustChange: FALSE
pwdMaxFailure: 10
pwdLockout: FALSE
date ; ldapsearch -LLL -x -H ldap://squeeze -b
ou=usuarios,dc=previdencia,dc=gov,dc=br -D
uid=jarbas.peixoto,ou=pessoas,ou=usuarios,dc=previdencia,dc=gov,dc=br -w
wrong-password '(uid=jarbas.peixoto)' cn mail pwdFailureTime
pwdAccountLockedTime modifyTimeStamp ; date
Qua Dez  2 16:14:56 AMST 2009
ldap_bind: Invalid credentials (49)
Qua Dez  2 16:15:36 AMST 2009
ldapsearch -LLL -x -H ldap://squeeze -b ou=usuarios,dc=previdencia,dc=gov,dc=br
'(uid=jarbas.peixoto)' cn mail pwdFailureTime pwdAccountLockedTime
modifyTimeStamp
dn: uid=jarbas.peixoto,ou=Pessoas,ou=Usuarios,dc=previdencia,dc=gov,dc=br
mail: jarbas.peixoto@previdencia.gov.br
cn: Jarbas Peixoto Junior
pwdAccountLockedTime: 20091202161422Z
pwdFailureTime: 20091202162324Z
pwdFailureTime: 20091202162805Z
pwdFailureTime: 20091202162925Z
pwdFailureTime: 20091202164558Z
pwdFailureTime: 20091202164702Z
pwdFailureTime: 20091202165016Z
pwdFailureTime: 20091202181310Z
pwdFailureTime: 20091202182914Z
pwdFailureTime: 20091202183248Z
pwdFailureTime: 20091202190153Z
pwdFailureTime: 20091202191147Z
pwdFailureTime: 20091202191544Z
pwdFailureTime: 20091202191644Z
modifyTimestamp: 20091202191724Z
date ; ldapsearch -LLL -x -H ldap://squeeze -b
ou=usuarios,dc=previdencia,dc=gov,dc=br -D
uid=jarbas.peixoto,ou=pessoas,ou=usuarios,dc=previdencia,dc=gov,dc=br -w
wrong-password '(uid=jarbas.peixoto)' cn mail pwdFailureTime
pwdAccountLockedTime modifyTimeStamp ; date
Qua Dez  2 16:19:03 AMST 2009
ldap_bind: Invalid credentials (49)
Qua Dez  2 16:19:44 AMST 2009
ldapsearch -LLL -x -H ldap://squeeze -b ou=usuarios,dc=previdencia,dc=gov,dc=br
'(uid=jarbas.peixoto)' cn mail pwdFailureTime pwdAccountLockedTime
modifyTimeStamp
dn: uid=jarbas.peixoto,ou=Pessoas,ou=Usuarios,dc=previdencia,dc=gov,dc=br
mail: jarbas.peixoto@previdencia.gov.br
cn: Jarbas Peixoto Junior
pwdAccountLockedTime: 20091202161422Z
pwdFailureTime: 20091202162324Z
pwdFailureTime: 20091202162805Z
pwdFailureTime: 20091202162925Z
pwdFailureTime: 20091202164558Z
pwdFailureTime: 20091202164702Z
pwdFailureTime: 20091202165016Z
pwdFailureTime: 20091202181310Z
pwdFailureTime: 20091202182914Z
pwdFailureTime: 20091202183248Z
pwdFailureTime: 20091202190153Z
pwdFailureTime: 20091202191147Z
pwdFailureTime: 20091202191544Z
pwdFailureTime: 20091202191644Z
pwdFailureTime: 20091202192051Z
modifyTimestamp: 20091202192133Z
I tried to identify any problems that may be in the logs. I made the following:
/etc/init.d/slapd stop
Stopping OpenLDAP: slapd.
...
/var/log/debug
/etc/init.d/slapd start
Starting OpenLDAP: slapd.
tail /var/log/debug -n 50
Dec  2 18:01:59 squeeze slapd[21772]: <= root access granted 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted
by manage(=mwrscxd) 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to
"uid=fnsi807249521$,ou=Windows,ou=Hosts,dc=previdencia,dc=gov,dc=br"
"objectClass" requested 
Dec  2 18:01:59 squeeze slapd[21772]: <= root access granted 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted
by manage(=mwrscxd) 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to
"uid=douglas.dcosta,ou=Pessoas,ou=Usuarios,dc=previdencia,dc=gov,dc=br"
"objectClass" requested 
Dec  2 18:01:59 squeeze slapd[21772]: <= root access granted 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted
by manage(=mwrscxd) 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to
"uid=fnsi813149827$,ou=Windows,ou=Hosts,dc=previdencia,dc=gov,dc=br"
"objectClass" requested 
Dec  2 18:01:59 squeeze slapd[21772]: <= root access granted 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted
by manage(=mwrscxd) 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to
"uid=fnsi813149622$,ou=Windows,ou=Hosts,dc=previdencia,dc=gov,dc=br"
"objectClass" requested 
Dec  2 18:01:59 squeeze slapd[21772]: <= root access granted 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted
by manage(=mwrscxd) 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to
"uid=fnsi808649957$,ou=Windows,ou=Hosts,dc=previdencia,dc=gov,dc=br"
"objectClass" requested 
Dec  2 18:01:59 squeeze slapd[21772]: <= root access granted 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted
by manage(=mwrscxd) 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to
"uid=apssc-fcn333$,ou=Windows,ou=Hosts,dc=previdencia,dc=gov,dc=br"
"objectClass" requested 
Dec  2 18:01:59 squeeze slapd[21772]: <= root access granted 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted
by manage(=mwrscxd) 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to
"uid=fnsi808638963$,ou=Windows,ou=Hosts,dc=previdencia,dc=gov,dc=br"
"objectClass" requested 
Dec  2 18:01:59 squeeze slapd[21772]: <= root access granted 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted
by manage(=mwrscxd) 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to
"uid=mgapssba055$,ou=Windows,ou=Hosts,dc=previdencia,dc=gov,dc=br" "objectClass"
requested 
Dec  2 18:01:59 squeeze slapd[21772]: <= root access granted 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted
by manage(=mwrscxd) 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to
"uid=fnsi808644351$,ou=Windows,ou=Hosts,dc=previdencia,dc=gov,dc=br"
"objectClass" requested 
Dec  2 18:01:59 squeeze slapd[21772]: <= root access granted 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted
by manage(=mwrscxd) 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to
"uid=fnsi813148464$,ou=Windows,ou=Hosts,dc=previdencia,dc=gov,dc=br"
"objectClass" requested 
Dec  2 18:01:59 squeeze slapd[21772]: <= root access granted 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted
by manage(=mwrscxd) 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to
"uid=fnsi813148430$,ou=Windows,ou=Hosts,dc=previdencia,dc=gov,dc=br"
"objectClass" requested 
Dec  2 18:01:59 squeeze slapd[21772]: <= root access granted 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted
by manage(=mwrscxd) 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to
"uid=fnsi808643444$,ou=Windows,ou=Hosts,dc=previdencia,dc=gov,dc=br"
"objectClass" requested 
Dec  2 18:01:59 squeeze slapd[21772]: <= root access granted 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted
by manage(=mwrscxd) 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to
"uid=admin.udsl,ou=Servicos,ou=Usuarios,dc=previdencia,dc=gov,dc=br"
"objectClass" requested 
Dec  2 18:01:59 squeeze slapd[21772]: <= root access granted 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted
by manage(=mwrscxd) 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to
"uid=admin.listas,ou=Servicos,ou=Usuarios,dc=previdencia,dc=gov,dc=br"
"objectClass" requested 
Dec  2 18:01:59 squeeze slapd[21772]: <= root access granted 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted
by manage(=mwrscxd) 
Dec  2 18:01:59 squeeze slapd[21772]: => bdb_entry_get: found entry:
"uid=jarbas.peixoto,ou=pessoas,ou=usuarios,dc=previdencia,dc=gov,dc=br" 
Dec  2 18:01:59 squeeze slapd[21772]: => bdb_entry_get: found entry:
"cn=default,ou=ldappassword,ou=politicas,ou=builtin,dc=previdencia,dc=gov,dc=br"
Dec  2 18:01:59 squeeze slapd[21772]: => bdb_entry_get: found entry:
"uid=jarbas.peixoto,ou=pessoas,ou=usuarios,dc=previdencia,dc=gov,dc=br" 
Dec  2 18:01:59 squeeze slapd[21772]: <= acl_access_allowed: granted to database
root 
Dec  2 18:01:59 squeeze slapd[21772]: conn=1000 op=0 RESULT tag=97 err=49 text=
Dec  2 18:01:59 squeeze slapd[21772]: conn=1000 fd=15 closed (connection lost)
grep 'access_allowed: search access to' /var/log/debug | wc -l
83714
The question is: why access all entries in LDAP?
Does anyone have any tips, or it may be some as yet unidentified BUG?
As tests, I installed the version 2.4.20 and had the same behavior.
Best Regards,
Jarbas