11:38 a.m.
Hello,
I use the ppolicy overlay and it works fine for all the features I've
tested but one:
I've added the ppolicy_use_lockout parameter in my slapd.conf, but I
still get the err=49
invalid credentials error message after 5 unsuccessfull authentification
attempts (a few
seconds elapse between each attempt)
I operate slapd 2.4.13 over OpenSuse 10.2
I can for example expire passwords, reset them or use the password
history feature,
but I can't figure out how to get an "account locked" message instead of
"invalid credentials"
when a user fails to log in more than 5 times.
I've tested with different ldapsearch versions as well as with Apache
LDAP Studio which seems
to use at least some LDAP controls, so I don't think it's a client side
problem.
I've tried to set "ppolicy_use_lockout" to 1 or true or on as well as
let it without value, but it's
doesn't change anything, excepted that unauthorized values prevent slapd
from starting.
Here's what I see in "-d -1 mode"
<= acl_access_allowed: granted to database root
bdb_modify_internal: replace pwdAccountLockedTime
bdb_modify_internal: add pwdFailureTime
bdb_modify_internal: 20 modify/add: pwdFailureTime: value #0 already exists
bdb_modify: modify failed (20)
send_ldap_result: conn=7 op=0 p=3
send_ldap_result: err=20 matched="" text="modify/add: pwdFailureTime:
value #0 already exists"
send_ldap_response: msgid=1 tag=97 err=49
ber_flush2: 14 bytes to sd 25
0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00 0....a...1....
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00 0....a...1....
conn=7 op=0 RESULT tag=97 err=49 text=
daemon: activity on:
My config is as follows:
database bdb
...
...
overlay ppolicy
ppolicy_default "cn=default,ou=policies,.....
ppolicy_use_lockout
And my policy is as follows:
dn: cn=default,ou=policies,....
cn: default
objectClass: pwdPolicy
objectClass: person
objectClass: top
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdExpireWarning: 86400
pwdFailureCountInterval: 30
pwdGraceAuthNLimit: 5
pwdInHistory: 5
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxAge: 0
pwdMaxFailure: 5
pwdMinAge: 0
pwdMinLength: 5
pwdMustChange: FALSE
pwdSafeModify: FALSE
sn: default
Any clue ?
Cyril
--
2:20 p.m.
I can for example expire passwords, reset them or use the password
history feature,
but I can't figure out how to get an "account locked" message instead
of
"invalid credentials"
when a user fails to log in more than 5 times.
That's by intention (or should be). You never want to differentiate to
the
client the difference between the bind failing because of invalid
credentials
and failing because the account is locked, for security reasons.
Returning "account is locked" instead of "invalid credentials" simply
tells an attacker that any further tries is a waste of time, can be used
to know when to continue an attack (esp if the account unlocks after a
bit
of time, in which it also tells them how long the lockout is, so they
can
tune their attack to go right up to the limit and stop, allowing a more
successful attack, etc).
By returning invalid credentials after the account is locked, you don't
give an attacker more info to aid in his attack.
This is the same reason why login pages should never ever say things
like
"user doesn't exist", "password was wrong", "account is
locked", etc - a
well
designed/secure login page will only say that whatever credentials were
supplied are not valid for any unsuccessful login case.
Any other response gives away too much information.
- Jeff
5:12 p.m.
Clowser, Jeff wrote:
> I can for example expire passwords, reset them or use the password
> history feature,
> but I can't figure out how to get an "account locked" message instead
of
> "invalid credentials"
> when a user fails to log in more than 5 times.
That's by intention (or should be). You never want to differentiate to
the
client the difference between the bind failing because of invalid
credentials
and failing because the account is locked, for security reasons.
Yes. The slapo-ppolicy(5) manpage already discusses this.
The manpage also discusses the AccountLocked error code - it is returned in
the PasswordPolicy response control, not in the LDAP Result code. As the
manpage clearly states, "A client will always receive an LDAP
InvalidCredentials response ..."
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
1:41 a.m.
----- "Cyril Grosjean" <cgrosjean(a)janua.fr> wrote:
Hello,
I use the ppolicy overlay and it works fine for all the features I've
tested but one:
I've added the ppolicy_use_lockout parameter in my slapd.conf, but I
still get the err=49
invalid credentials error message after 5 unsuccessfull
authentification
attempts (a few
seconds elapse between each attempt)
I operate slapd 2.4.13 over OpenSuse 10.2
I can for example expire passwords, reset them or use the password
history feature,
but I can't figure out how to get an "account locked" message instead
of
"invalid credentials"
when a user fails to log in more than 5 times.
Well, you probably actually want them to get a message telling them that their password
has expired, *before* they get locked out (otherwise you need admin intervention anyway).
I've tested with different ldapsearch versions as well as with Apache
LDAP Studio which seems
to use at least some LDAP controls, so I don't think it's a client
side
problem.
Are you using the '-e ppolicy' option to ldapwhoami or similar ? Password policy
requires the client to ask for, and interpret the password policy controls. So, most
likely it *is* a client side problem.
[...]
Any clue ?
Test with ldapwhoami, with the '-e ppolicy' options. If they work correctly, then
this is not an OpenLDAP issue, and you should ask about pam_ldap password policy support
on another list (e.g. OpenLDAP-technical) which allows pam_ldap questions.
Regards,
Buchan
2:17 a.m.
Buchan Milne wrote:
----- "Cyril Grosjean" <cgrosjean(a)janua.fr> wrote:
> Hello,
>
> I use the ppolicy overlay and it works fine for all the features I've
> tested but one:
>
> I've added the ppolicy_use_lockout parameter in my slapd.conf, but I
> still get the err=49
> invalid credentials error message after 5 unsuccessfull
> authentification
> attempts (a few
> seconds elapse between each attempt)
>
> I operate slapd 2.4.13 over OpenSuse 10.2
>
> I can for example expire passwords, reset them or use the password
> history feature,
> but I can't figure out how to get an "account locked" message instead
> of
> "invalid credentials"
> when a user fails to log in more than 5 times.
>
Well, you probably actually want them to get a message telling them that their password
has expired, *before* they get locked out (otherwise you need admin intervention anyway).
> I've tested with different ldapsearch versions as well as with Apache
> LDAP Studio which seems
> to use at least some LDAP controls, so I don't think it's a client
> side
> problem.
>
Are you using the '-e ppolicy' option to ldapwhoami or similar ? Password policy
requires the client to ask for, and interpret the password policy controls. So, most
likely it *is* a client side problem.
[...]
> Any clue ?
>
Test with ldapwhoami, with the '-e ppolicy' options. If they work correctly, then
this is not an OpenLDAP issue, and you should ask about pam_ldap password policy support
on another list (e.g. OpenLDAP-technical) which allows pam_ldap questions.
Regards,
Buchan
Thank you for all your answers. I understand it's a client problem now.
I haven't tested yet with ldapwhoami, but I will soon. I've only tested
with different versions (Solaris and Linux) of ldapsearch,
as well as with Apache Directory Studio and didn't find any option here
to deal with the password policy cotnrols .
3:04 a.m.
----- "Cyril Grosjean" <cgrosjean(a)janua.fr> wrote:
Buchan Milne wrote:
> ----- "Cyril Grosjean" <cgrosjean(a)janua.fr> wrote:
>
>
>> Hello,
>>
>> I use the ppolicy overlay and it works fine for all the features
I've
>> tested but one:
>>
>> I've added the ppolicy_use_lockout parameter in my slapd.conf, but
I
>> still get the err=49
>> invalid credentials error message after 5 unsuccessfull
>> authentification
>> attempts (a few
>> seconds elapse between each attempt)
>>
>> I operate slapd 2.4.13 over OpenSuse 10.2
>>
>> I can for example expire passwords, reset them or use the password
>> history feature,
>> but I can't figure out how to get an "account locked" message
instead
>> of
>> "invalid credentials"
>> when a user fails to log in more than 5 times.
>>
>
> Well, you probably actually want them to get a message telling them
that their password has expired, *before* they get locked out
(otherwise you need admin intervention anyway).
>
>
>> I've tested with different ldapsearch versions as well as with
Apache
>> LDAP Studio which seems
>> to use at least some LDAP controls, so I don't think it's a client
>> side
>> problem.
>>
>
> Are you using the '-e ppolicy' option to ldapwhoami or similar ?
Password policy requires the client to ask for, and interpret the
password policy controls. So, most likely it *is* a client side
problem.
>
>
> [...]
>
>
>> Any clue ?
>>
>
> Test with ldapwhoami, with the '-e ppolicy' options. If they work
correctly, then this is not an OpenLDAP issue, and you should ask
about pam_ldap password policy support on another list (e.g.
OpenLDAP-technical) which allows pam_ldap questions.
>
> Regards,
> Buchan
Thank you for all your answers. I understand it's a client problem
now.
I haven't tested yet with ldapwhoami, but I will soon. I've only
tested
with different versions (Solaris and Linux) of ldapsearch,
as well as with Apache Directory Studio and didn't find any option
here
to deal with the password policy cotnrols .
-e ppolicy should work with ldapsearch as well:
$ ldapsearch --help 2>&1|grep -C8 ppolicy
-e [!]<ext>[=<extparam>] general extensions (! indicates criticality)
[!]assert=<filter> (a RFC 4515 Filter string)
[!]authzid=<authzid> ("dn:<dn>" or
"u:<user>")
[!]chaining[=<resolveBehavior>[/<continuationBehavior>]]
one of "chainingPreferred", "chainingRequired",
"referralsPreferred", "referralsRequired"
[!]manageDSAit
[!]noop
ppolicy
[!]postread[=<attrs>] (a comma-separated attribute list)
[!]preread[=<attrs>] (a comma-separated attribute list)
[!]relax
abandon, cancel, ignore (SIGINT sends abandon/cancel,
or ignores response; if critical, doesn't wait for SIGINT.
not really controls)
-f file read operations from `file'
-h host LDAP server
Regards,
Buchan
3:39 a.m.
Sorry, I did not know that option and had never used it.
Now I confirm it works fine with ldapsearch.
I have also successfully tested it with ldapwhoami.
The "-e" option works fine as well with the ldapwhoami command from Suse
10.2 , but it didn't appear in my man pages,
I can just see it with the "-h" option .
Thank you for your support .
Buchan Milne wrote:
----- "Cyril Grosjean" <cgrosjean(a)janua.fr> wrote:
> Buchan Milne wrote:
>
>> ----- "Cyril Grosjean" <cgrosjean(a)janua.fr> wrote:
>>
>>
>>
>>> Hello,
>>>
>>> I use the ppolicy overlay and it works fine for all the features
>>>
> I've
>
>>> tested but one:
>>>
>>> I've added the ppolicy_use_lockout parameter in my slapd.conf, but
>>>
> I
>
>>> still get the err=49
>>> invalid credentials error message after 5 unsuccessfull
>>> authentification
>>> attempts (a few
>>> seconds elapse between each attempt)
>>>
>>> I operate slapd 2.4.13 over OpenSuse 10.2
>>>
>>> I can for example expire passwords, reset them or use the password
>>> history feature,
>>> but I can't figure out how to get an "account locked" message
>>>
> instead
>
>>> of
>>> "invalid credentials"
>>> when a user fails to log in more than 5 times.
>>>
>>>
>> Well, you probably actually want them to get a message telling them
>>
> that their password has expired, *before* they get locked out
> (otherwise you need admin intervention anyway).
>
>>
>>
>>> I've tested with different ldapsearch versions as well as with
>>>
> Apache
>
>>> LDAP Studio which seems
>>> to use at least some LDAP controls, so I don't think it's a client
>>> side
>>> problem.
>>>
>>>
>> Are you using the '-e ppolicy' option to ldapwhoami or similar ?
>>
> Password policy requires the client to ask for, and interpret the
> password policy controls. So, most likely it *is* a client side
> problem.
>
>> [...]
>>
>>
>>
>>> Any clue ?
>>>
>>>
>> Test with ldapwhoami, with the '-e ppolicy' options. If they work
>>
> correctly, then this is not an OpenLDAP issue, and you should ask
> about pam_ldap password policy support on another list (e.g.
> OpenLDAP-technical) which allows pam_ldap questions.
>
>> Regards,
>> Buchan
>>
> Thank you for all your answers. I understand it's a client problem
> now.
> I haven't tested yet with ldapwhoami, but I will soon. I've only
> tested
> with different versions (Solaris and Linux) of ldapsearch,
> as well as with Apache Directory Studio and didn't find any option
> here
> to deal with the password policy cotnrols .
>
-e ppolicy should work with ldapsearch as well:
$ ldapsearch --help 2>&1|grep -C8 ppolicy
-e [!]<ext>[=<extparam>] general extensions (! indicates criticality)
[!]assert=<filter> (a RFC 4515 Filter string)
[!]authzid=<authzid> ("dn:<dn>" or
"u:<user>")
[!]chaining[=<resolveBehavior>[/<continuationBehavior>]]
one of "chainingPreferred", "chainingRequired",
"referralsPreferred", "referralsRequired"
[!]manageDSAit
[!]noop
ppolicy
[!]postread[=<attrs>] (a comma-separated attribute list)
[!]preread[=<attrs>] (a comma-separated attribute list)
[!]relax
abandon, cancel, ignore (SIGINT sends abandon/cancel,
or ignores response; if critical, doesn't wait for SIGINT.
not really controls)
-f file read operations from `file'
-h host LDAP server
Regards,
Buchan
5120
days inactive
5123
days old
openldap-software@openldap.org
6 comments
4 participants
participants (4)
-
Buchan Milne -
Clowser, Jeff -
Cyril Grosjean -
Howard Chu