[Issue 9302] New: ppolicy pwdFailureTime race condition leaves acccount unlocked, violating pwdLockout policy
https://bugs.openldap.org/show_bug.cgi?id=9302
Issue ID: 9302 Summary: ppolicy pwdFailureTime race condition leaves acccount unlocked, violating pwdLockout policy Product: OpenLDAP Version: 2.4.50 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: overlays Assignee: bugs@openldap.org Reporter: requate@univention.de Target Milestone: ---
Multiple concurrent ldap binds with invalid passwords against a user account sometimes don't trigger account lockout, even though the number of failed attempts exceeds the configured pwdLockout policy of the ppolicy overlay.
How to reproduce:
1. Configure ppolicy overlay with pwdLockout: TRUE 2. set pwdMaxFailure to some value, e.g. 5
3. Create a test user account and start just enough (or more) parallel ldapsearch processes to make the account get locked, e.g. like this in bash/sh (note the backgrounding):
for i in $(seq 6); do ldapsearch -x -D "uid=testuser1,$ldap_base" -w invalid >/dev/null 2>&1 & done
4. Check relevant ppolicy attributes, like:
ldapsearch -x -H LDAPI:// -b "uid=testuser1,$ldap_base" + \ grep -E '^(pwdFailureTime|pwdAccountLockedTime):'
This often shows no pwdAccountLockedTime but enough (or more) pwdFailureTime values to meet the lockout policy.
https://bugs.openldap.org/show_bug.cgi?id=9302
--- Comment #1 from requate@univention.de requate@univention.de --- Created attachment 748 --> https://bugs.openldap.org/attachment.cgi?id=748&action=edit 0001-ITS-9302-ppolicy-avoid-pwdFailureTime-race-condition.patch
This patch worked for me.
https://bugs.openldap.org/show_bug.cgi?id=9302
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |2.4.51 Keywords| |has_patch
https://bugs.openldap.org/show_bug.cgi?id=9302
--- Comment #2 from Quanah Gibson-Mount quanah@openldap.org --- Note: Patch as-is is not usable, due to the fact that it incorrectly re-uses the chk_syntax_mutex which is entirely unrelated. A correct patch would likely need to use a new mutex.
https://bugs.openldap.org/show_bug.cgi?id=9302
requate@univention.de requate@univention.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Attachment #748 is|0 |1 obsolete| |
--- Comment #3 from requate@univention.de requate@univention.de --- Created attachment 749 --> https://bugs.openldap.org/attachment.cgi?id=749&action=edit 0001-ITS-9302-ppolicy-avoid-pwdFailureTime-race-condition.patch
Right, patch adjusted.
https://bugs.openldap.org/show_bug.cgi?id=9302
--- Comment #4 from Howard Chu hyc@openldap.org --- (In reply to requate@univention.de from comment #3)
Created attachment 749 [details] 0001-ITS-9302-ppolicy-avoid-pwdFailureTime-race-condition.patch
Right, patch adjusted.
Patch looks fine, thanks.
https://bugs.openldap.org/show_bug.cgi?id=9302
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords|has_patch | Resolution|--- |FIXED Status|UNCONFIRMED |RESOLVED
--- Comment #5 from Quanah Gibson-Mount quanah@openldap.org --- head:
Commits: • 0e675be7 by Arvid Requate at 2020-07-30T17:32:32+01:00 ITS#9302 ppolicy: avoid pwdFailureTime race condition
• 138c4926 by Howard Chu at 2020-07-30T17:53:25+01:00 ITS#9302 fix pwdFailireTime mutex scope
RE24:
Commits: • c4396517 by Arvid Requate at 2020-07-30T22:02:22+00:00 ITS#9302 ppolicy: avoid pwdFailureTime race condition
• 64e1cdfc by Howard Chu at 2020-07-30T22:07:49+00:00 ITS#9302 fix pwdFailireTime mutex scope
https://bugs.openldap.org/show_bug.cgi?id=9302
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED
https://bugs.openldap.org/show_bug.cgi?id=9302
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.4.51 |2.4.53
--- Comment #6 from Quanah Gibson-Mount quanah@openldap.org --- commit ed356c55d962bed90c673bff69cb524c14799a46 Author: Howard Chu hyc@openldap.org Date: Thu Sep 3 21:30:35 2020 +0100
ITS#9334 slapo-ppolicy re-fix ITS#9302
The mutex_lock was being skipped in the lockout case, but still calling mutex_unlock at the end
For 2.4.53, RE24:
commit af58686af31d2ed515ca63971b89ab919bd47efe Author: Howard Chu hyc@openldap.org Date: Thu Sep 3 21:30:35 2020 +0100
ITS#9334 slapo-ppolicy re-fix ITS#9302
The mutex_lock was being skipped in the lockout case, but still calling mutex_unlock at the end.
-
openldap-its@openldap.org