Hello,
I use the ppolicy overlay and it works fine for all the features I've tested but one:
I've added the ppolicy_use_lockout parameter in my slapd.conf, but I still get the err=49 invalid credentials error message after 5 unsuccessfull authentification attempts (a few seconds elapse between each attempt)
I operate slapd 2.4.13 over OpenSuse 10.2
I can for example expire passwords, reset them or use the password history feature, but I can't figure out how to get an "account locked" message instead of "invalid credentials" when a user fails to log in more than 5 times.
I've tested with different ldapsearch versions as well as with Apache LDAP Studio which seems to use at least some LDAP controls, so I don't think it's a client side problem.
I've tried to set "ppolicy_use_lockout" to 1 or true or on as well as let it without value, but it's doesn't change anything, excepted that unauthorized values prevent slapd from starting.
Here's what I see in "-d -1 mode"
<= acl_access_allowed: granted to database root bdb_modify_internal: replace pwdAccountLockedTime bdb_modify_internal: add pwdFailureTime bdb_modify_internal: 20 modify/add: pwdFailureTime: value #0 already exists bdb_modify: modify failed (20) send_ldap_result: conn=7 op=0 p=3 send_ldap_result: err=20 matched="" text="modify/add: pwdFailureTime: value #0 already exists" send_ldap_response: msgid=1 tag=97 err=49 ber_flush2: 14 bytes to sd 25 0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00 0....a...1.... ldap_write: want=14, written=14 0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00 0....a...1.... conn=7 op=0 RESULT tag=97 err=49 text= daemon: activity on:
My config is as follows:
database bdb ... ...
overlay ppolicy ppolicy_default "cn=default,ou=policies,..... ppolicy_use_lockout
And my policy is as follows:
dn: cn=default,ou=policies,.... cn: default objectClass: pwdPolicy objectClass: person objectClass: top pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 2 pwdExpireWarning: 86400 pwdFailureCountInterval: 30 pwdGraceAuthNLimit: 5 pwdInHistory: 5 pwdLockout: TRUE pwdLockoutDuration: 0 pwdMaxAge: 0 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLength: 5 pwdMustChange: FALSE pwdSafeModify: FALSE sn: default
Any clue ?
Cyril
I can for example expire passwords, reset them or use the password history feature, but I can't figure out how to get an "account locked" message instead
of
"invalid credentials" when a user fails to log in more than 5 times.
That's by intention (or should be). You never want to differentiate to the client the difference between the bind failing because of invalid credentials and failing because the account is locked, for security reasons.
Returning "account is locked" instead of "invalid credentials" simply tells an attacker that any further tries is a waste of time, can be used to know when to continue an attack (esp if the account unlocks after a bit of time, in which it also tells them how long the lockout is, so they can tune their attack to go right up to the limit and stop, allowing a more successful attack, etc).
By returning invalid credentials after the account is locked, you don't give an attacker more info to aid in his attack.
This is the same reason why login pages should never ever say things like "user doesn't exist", "password was wrong", "account is locked", etc - a well designed/secure login page will only say that whatever credentials were supplied are not valid for any unsuccessful login case.
Any other response gives away too much information.
- Jeff
Clowser, Jeff wrote:
I can for example expire passwords, reset them or use the password history feature, but I can't figure out how to get an "account locked" message instead
of
"invalid credentials" when a user fails to log in more than 5 times.
That's by intention (or should be). You never want to differentiate to the client the difference between the bind failing because of invalid credentials and failing because the account is locked, for security reasons.
Yes. The slapo-ppolicy(5) manpage already discusses this.
The manpage also discusses the AccountLocked error code - it is returned in the PasswordPolicy response control, not in the LDAP Result code. As the manpage clearly states, "A client will always receive an LDAP InvalidCredentials response ..."
----- "Cyril Grosjean" cgrosjean@janua.fr wrote:
Hello,
I use the ppolicy overlay and it works fine for all the features I've tested but one:
I've added the ppolicy_use_lockout parameter in my slapd.conf, but I still get the err=49 invalid credentials error message after 5 unsuccessfull authentification attempts (a few seconds elapse between each attempt)
I operate slapd 2.4.13 over OpenSuse 10.2
I can for example expire passwords, reset them or use the password history feature, but I can't figure out how to get an "account locked" message instead of "invalid credentials" when a user fails to log in more than 5 times.
Well, you probably actually want them to get a message telling them that their password has expired, *before* they get locked out (otherwise you need admin intervention anyway).
I've tested with different ldapsearch versions as well as with Apache LDAP Studio which seems to use at least some LDAP controls, so I don't think it's a client side problem.
Are you using the '-e ppolicy' option to ldapwhoami or similar ? Password policy requires the client to ask for, and interpret the password policy controls. So, most likely it *is* a client side problem.
[...]
Any clue ?
Test with ldapwhoami, with the '-e ppolicy' options. If they work correctly, then this is not an OpenLDAP issue, and you should ask about pam_ldap password policy support on another list (e.g. OpenLDAP-technical) which allows pam_ldap questions.
Regards, Buchan
Buchan Milne wrote:
----- "Cyril Grosjean" cgrosjean@janua.fr wrote:
Hello,
I use the ppolicy overlay and it works fine for all the features I've tested but one:
I've added the ppolicy_use_lockout parameter in my slapd.conf, but I still get the err=49 invalid credentials error message after 5 unsuccessfull authentification attempts (a few seconds elapse between each attempt)
I operate slapd 2.4.13 over OpenSuse 10.2
I can for example expire passwords, reset them or use the password history feature, but I can't figure out how to get an "account locked" message instead of "invalid credentials" when a user fails to log in more than 5 times.
Well, you probably actually want them to get a message telling them that their password has expired, *before* they get locked out (otherwise you need admin intervention anyway).
I've tested with different ldapsearch versions as well as with Apache LDAP Studio which seems to use at least some LDAP controls, so I don't think it's a client side problem.
Are you using the '-e ppolicy' option to ldapwhoami or similar ? Password policy requires the client to ask for, and interpret the password policy controls. So, most likely it *is* a client side problem.
[...]
Any clue ?
Test with ldapwhoami, with the '-e ppolicy' options. If they work correctly, then this is not an OpenLDAP issue, and you should ask about pam_ldap password policy support on another list (e.g. OpenLDAP-technical) which allows pam_ldap questions.
Regards, Buchan
Thank you for all your answers. I understand it's a client problem now. I haven't tested yet with ldapwhoami, but I will soon. I've only tested with different versions (Solaris and Linux) of ldapsearch, as well as with Apache Directory Studio and didn't find any option here to deal with the password policy cotnrols .
----- "Cyril Grosjean" cgrosjean@janua.fr wrote:
Buchan Milne wrote:
----- "Cyril Grosjean" cgrosjean@janua.fr wrote:
Hello,
I use the ppolicy overlay and it works fine for all the features
I've
tested but one:
I've added the ppolicy_use_lockout parameter in my slapd.conf, but
I
still get the err=49 invalid credentials error message after 5 unsuccessfull authentification attempts (a few seconds elapse between each attempt)
I operate slapd 2.4.13 over OpenSuse 10.2
I can for example expire passwords, reset them or use the password history feature, but I can't figure out how to get an "account locked" message
instead
of "invalid credentials" when a user fails to log in more than 5 times.
Well, you probably actually want them to get a message telling them
that their password has expired, *before* they get locked out (otherwise you need admin intervention anyway).
I've tested with different ldapsearch versions as well as with
Apache
LDAP Studio which seems to use at least some LDAP controls, so I don't think it's a client side problem.
Are you using the '-e ppolicy' option to ldapwhoami or similar ?
Password policy requires the client to ask for, and interpret the password policy controls. So, most likely it *is* a client side problem.
[...]
Any clue ?
Test with ldapwhoami, with the '-e ppolicy' options. If they work
correctly, then this is not an OpenLDAP issue, and you should ask about pam_ldap password policy support on another list (e.g. OpenLDAP-technical) which allows pam_ldap questions.
Regards, Buchan
Thank you for all your answers. I understand it's a client problem now. I haven't tested yet with ldapwhoami, but I will soon. I've only tested with different versions (Solaris and Linux) of ldapsearch, as well as with Apache Directory Studio and didn't find any option here to deal with the password policy cotnrols .
-e ppolicy should work with ldapsearch as well:
$ ldapsearch --help 2>&1|grep -C8 ppolicy -e [!]<ext>[=<extparam>] general extensions (! indicates criticality) [!]assert=<filter> (a RFC 4515 Filter string) [!]authzid=<authzid> ("dn:<dn>" or "u:<user>") [!]chaining[=<resolveBehavior>[/<continuationBehavior>]] one of "chainingPreferred", "chainingRequired", "referralsPreferred", "referralsRequired" [!]manageDSAit [!]noop ppolicy [!]postread[=<attrs>] (a comma-separated attribute list) [!]preread[=<attrs>] (a comma-separated attribute list) [!]relax abandon, cancel, ignore (SIGINT sends abandon/cancel, or ignores response; if critical, doesn't wait for SIGINT. not really controls) -f file read operations from `file' -h host LDAP server
Regards, Buchan
Sorry, I did not know that option and had never used it. Now I confirm it works fine with ldapsearch.
I have also successfully tested it with ldapwhoami. The "-e" option works fine as well with the ldapwhoami command from Suse 10.2 , but it didn't appear in my man pages, I can just see it with the "-h" option .
Thank you for your support .
Buchan Milne wrote:
----- "Cyril Grosjean" cgrosjean@janua.fr wrote:
Buchan Milne wrote:
----- "Cyril Grosjean" cgrosjean@janua.fr wrote:
Hello,
I use the ppolicy overlay and it works fine for all the features
I've
tested but one:
I've added the ppolicy_use_lockout parameter in my slapd.conf, but
I
still get the err=49 invalid credentials error message after 5 unsuccessfull authentification attempts (a few seconds elapse between each attempt)
I operate slapd 2.4.13 over OpenSuse 10.2
I can for example expire passwords, reset them or use the password history feature, but I can't figure out how to get an "account locked" message
instead
of "invalid credentials" when a user fails to log in more than 5 times.
Well, you probably actually want them to get a message telling them
that their password has expired, *before* they get locked out (otherwise you need admin intervention anyway).
I've tested with different ldapsearch versions as well as with
Apache
LDAP Studio which seems to use at least some LDAP controls, so I don't think it's a client side problem.
Are you using the '-e ppolicy' option to ldapwhoami or similar ?
Password policy requires the client to ask for, and interpret the password policy controls. So, most likely it *is* a client side problem.
[...]
Any clue ?
Test with ldapwhoami, with the '-e ppolicy' options. If they work
correctly, then this is not an OpenLDAP issue, and you should ask about pam_ldap password policy support on another list (e.g. OpenLDAP-technical) which allows pam_ldap questions.
Regards, Buchan
Thank you for all your answers. I understand it's a client problem now. I haven't tested yet with ldapwhoami, but I will soon. I've only tested with different versions (Solaris and Linux) of ldapsearch, as well as with Apache Directory Studio and didn't find any option here to deal with the password policy cotnrols .
-e ppolicy should work with ldapsearch as well:
$ ldapsearch --help 2>&1|grep -C8 ppolicy -e [!]<ext>[=<extparam>] general extensions (! indicates criticality) [!]assert=<filter> (a RFC 4515 Filter string) [!]authzid=<authzid> ("dn:<dn>" or "u:<user>") [!]chaining[=<resolveBehavior>[/<continuationBehavior>]] one of "chainingPreferred", "chainingRequired", "referralsPreferred", "referralsRequired" [!]manageDSAit [!]noop ppolicy [!]postread[=<attrs>] (a comma-separated attribute list) [!]preread[=<attrs>] (a comma-separated attribute list) [!]relax abandon, cancel, ignore (SIGINT sends abandon/cancel, or ignores response; if critical, doesn't wait for SIGINT. not really controls) -f file read operations from `file' -h host LDAP server
Regards, Buchan
openldap-software@openldap.org
-
Buchan Milne -
Clowser, Jeff -
Cyril Grosjean -
Howard Chu