|
Hi, I am testing out 389_ds_base, version
=1.2.11.15,REV=2013.01.31 running on mixed Solaris 10 servers (SPARC
and X86) sourced from http://www.opencsw.org/packages/CSW389-ds-base in multi-master mode with 4 servers that is primarily used for authentication and user/group/netgroup management. Most of the Password policy components seem to work as they should, but password failure account lockout doesn't appear to engage after X-failed attempts. After creating a new account, testing a successful login, after 5+ failed logins with bad passwords, I can still login after I would expect to be locked out. I even created a new password policy and applied it to this user and it still doesn't lock him out after 5+ failed logins with bad passwords. The client server I am trying to login to is a Solaris 10 Sparc OS that successfully integrates into LDAP for authentication and user/group/netgroup management. Can someone recommend some steps to determine where to start attacking this issue? I assume this is an 389DS issue, but I provided a copy of our /etc/pam.conf and /etc/nsswitch.conf in case its a client-side configuration issues. I have provided some quick diagnostics of current settings as they are shown below in an ldapsearch-cmd in this environment (see below). Thanks in advance for any help you may provide. #Here is the global password policy: >>ldapsearch -x -ZZ -LLL -h ldap-dr01.my-domain.com -D 'cn=directory manager' -b 'cn=config' -s base 'objectClass=*' '*' passwordHistory | grep password passwordInHistory: 6 passwordUnlock: on passwordGraceLimit: 0 passwordMustChange: off passwordWarning: 86400 passwordLockout: off passwordMinLength: 8 passwordMinDigits: 0 passwordMinAlphas: 0 passwordMinUppers: 0 passwordMinLowers: 0 passwordMinSpecials: 0 passwordMin8bit: 0 passwordMaxRepeats: 0 passwordMinCategories: 3 passwordMinTokenLength: 3 passwordMaxFailure: 3 passwordHistory: off passwordMaxAge: 8640000 passwordResetFailureCount: 600 passwordisglobalpolicy: on passwordlegacypolicy: on passwordtrackupdatetime: off passwordChange: on passwordExp: off passwordLockoutDuration: 3600 passwordCheckSyntax: off passwordMinAge: 0 passwordStorageScheme: SSHA #Here is my newly created policy >>ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "cn=nsPwPolicyContainer,ou=people,dc=my-domain,dc=com" "(&(objectClass=ldapsubentry)(objectClass=passwordPolicy)(cn=TestNewPolicy))" dn: cn=TestNewPolicy,cn=nsPwPolicyContainer,ou=people,dc=my-domain,dc=com cn: TestNewPolicy objectClass: top objectClass: ldapsubentry objectClass: passwordPolicy passwordMustChange: on passwordChange: on passwordMinAge: 0 passwordKeepHistory: on passwordInHistory: 12 passwordExp: on passwordMaxAge: 86400 passwordWarning: 10000 passwordGraceLimit: 5 passwordLockout: on passwordMaxFailure: 4 passwordResetDuration: 600 passwordLockoutDuration: 3600 passwordCheckSyntax: on passwordMinLength: 6 passwordMinAlphas: 1 passwordMinCategories: 1 passwordMinDigits: 1 passwordMinLowers: 1 passwordMinUppers: 1 passwordMinSpecials: 0 passwordMin8bit: 0 passwordMaxRepeats: 0 passwordMinTokenLength: 3 passwordStorageScheme: SSHA #Here is my newly created user with the test policy applied to him >>ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" "cn=test-user-account" dn: uid=test-user-account,ou=people,dc=my-domain,dc=com description: accountHasItsOwnPwdPolicy objectClass: posixAccount objectClass: shadowAccount objectClass: account objectClass: top uid: test-user-account cn: test-user-account uidNumber: 2853 gidNumber: 2600 gecos: User LDAP Test homeDirectory: /home/test-user-account loginShell: /bin/tcsh >>ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" "cn=test-user-account" pwdPolicySubentry dn: uid=test-user-account,ou=people,dc=my-domain,dc=com pwdPolicySubentry: cn=TestNewPolicy,cn=nsPwPolicyContainer,ou=people,dc=my-domain,dc=com >>ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" "cn=test-user-account" passwordExpirationtime dn: uid=test-user-account,ou=people,dc=my-domain,dc=com passwordExpirationtime: 20131126160316Z Here is my Solaris-based PAM file: /etc/pam.conf #ident "@(#)pam.conf 1.31 07/12/07 SMI" # # Copyright 2007 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # PAM configuration # # Unless explicitly defined, all services use the modules # defined in the "other" section. # # Modules are defined with relative pathnames, i.e., they are # relative to /usr/lib/security/. Absolute path names, as # present in this file in previous releases are still acceptable. # # Authentication management # # login service (explicit because of pam_dial_auth) # login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth required pam_dial_auth.so.1 login auth binding pam_unix_auth.so.1 server_policy login auth required pam_ldap.so.1 # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 rlogin auth binding pam_unix_auth.so.1 server_policy rlogin auth required pam_ldap.so.1 # # Kerberized rlogin service # # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_cred.so.1 rsh auth binding pam_unix_auth.so.1 server_policy rsh auth required pam_ldap.so.1 # # Kerberized rsh service # # # Kerberized telnet service # # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_dial_auth.so.1 ppp auth binding pam_unix_auth.so.1 server_policy ppp auth required pam_ldap.so.1 # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # # other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth binding pam_unix_auth.so.1 server_policy other auth required pam_ldap.so.1 # # passwd command (explicit because of a different authentication module) # passwd auth binding pam_passwd_auth.so.1 server_policy passwd auth required pam_ldap.so.1 # # cron service (explicit because of non-usage of pam_roles.so.1) # cron account required pam_unix_account.so.1 # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account requisite pam_roles.so.1 other account binding pam_unix_account.so.1 server_policy other account required pam_list.so.1 allow=/etc/user.allow other account required pam_ldap.so.1 # # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session required pam_unix_session.so.1 # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 server_policy # # Support for Kerberos V5 authentication and example configurations can # be found in the pam_krb5(5) man page under the "EXAMPLES" section. # ppp auth required pam_unix_cred.so.1 ppp auth required pam_unix_auth.so.1 krlogin auth required pam_unix_cred.so.1 krlogin auth required pam_krb5.so.1 krsh auth required pam_unix_cred.so.1 krsh auth required pam_krb5.so.1 ktelnet auth required pam_unix_cred.so.1 ktelnet auth required pam_krb5.so.1 Here is my Solaris-based NSSWITCH file: /etc/nsswitch.conf # # Copyright 2006 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # ident "@(#)nsswitch.ldap 1.10 06/05/03 SMI" # # /etc/nsswitch.ldap: # # An example file that could be copied over to /etc/nsswitch.conf; it # uses LDAP in conjunction with files. # # "hosts:" and "services:" in this file are used only if the # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports. # LDAP service requires that svc:/network/ldap/client:default be enabled # and online. # the following two lines obviate the "+" entry in /etc/passwd and /etc/group. passwd: files ldap group: files ldap # consult /etc "files" only if ldap is down. hosts: files dns # Note that IPv4 addresses are searched for in all of the ipnodes databases # before searching the hosts databases. ipnodes: files dns networks: files protocols: files rpc: files ethers: files netmasks: files bootparams: files publickey: files netgroup: ldap automount: files ldap aliases: files ldap # for efficient getservbyname() avoid ldap services: files ldap printers: user files ldap auth_attr: files ldap prof_attr: files ldap project: files ldap tnrhtp: files ldap tnrhdb: files ldap owner@xxxxxxxxxxxxxxxxxxxxxxx. |
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
