Re: Password Failure Lockout doesn't seem to work

[Rich Megginson <rmeggins@xxxxxxxxxx>]

On 11/25/2013 03:33 PM, JLPicard wrote:

Hi, I am testing out   389_ds_base, version =1.2.11.15,REV=2013.01.31 running on mixed Solaris 10 servers (SPARC and X86) sourced from    
    http://www.opencsw.org/packages/CSW389-ds-base
in multi-master mode with 4 servers that is primarily used for authentication and user/group/netgroup management. 

Most of the Password policy components seem to work as they should, but password failure account lockout doesn't appear to engage after X-failed attempts.  After creating a new account, testing a successful login, after 5+ failed logins with bad passwords, I can still login after I would expect to be locked out.  I even created a new password policy and applied it to this user and it still doesn't lock him out after 5+ failed logins with bad passwords. 

Can you reproduce the issue with ldapsearch?

ldapsearch ... -D "uid=myuser,...." -w "badpassword" ...
repeat 5 times

The client server I am trying to login to is a Solaris 10 Sparc OS that successfully integrates into LDAP for authentication and user/group/netgroup management.

Can someone recommend some steps to determine where to start attacking this issue?  I assume this is an 389DS issue, but I provided a copy of our /etc/pam.conf and /etc/nsswitch.conf in case its a client-side configuration issues.

I have provided some quick diagnostics of current settings as they are shown below in an ldapsearch-cmd in this environment (see below).  Thanks in advance for any help you may provide.  






#Here is the global password policy:
>>ldapsearch -x -ZZ -LLL -h ldap-dr01.my-domain.com -D 'cn=directory manager'  -b 'cn=config' -s base 'objectClass=*' '*' passwordHistory | grep password
passwordInHistory: 6
passwordUnlock: on
passwordGraceLimit: 0
passwordMustChange: off
passwordWarning: 86400
passwordLockout: off
passwordMinLength: 8
passwordMinDigits: 0
passwordMinAlphas: 0
passwordMinUppers: 0
passwordMinLowers: 0
passwordMinSpecials: 0
passwordMin8bit: 0
passwordMaxRepeats: 0
passwordMinCategories: 3
passwordMinTokenLength: 3
passwordMaxFailure: 3
passwordHistory: off
passwordMaxAge: 8640000
passwordResetFailureCount: 600
passwordisglobalpolicy: on
passwordlegacypolicy: on
passwordtrackupdatetime: off
passwordChange: on
passwordExp: off
passwordLockoutDuration: 3600
passwordCheckSyntax: off
passwordMinAge: 0
passwordStorageScheme: SSHA


#Here is my newly created policy
>>ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "cn=nsPwPolicyContainer,ou=people,dc=my-domain,dc=com" "(&(objectClass=ldapsubentry)(objectClass=passwordPolicy)(cn=TestNewPolicy))"
dn: cn=TestNewPolicy,cn=nsPwPolicyContainer,ou=people,dc=my-domain,dc=com
cn: TestNewPolicy
objectClass: top
objectClass: ldapsubentry
objectClass: passwordPolicy
passwordMustChange: on
passwordChange: on
passwordMinAge: 0
passwordKeepHistory: on
passwordInHistory: 12
passwordExp: on
passwordMaxAge: 86400
passwordWarning: 10000
passwordGraceLimit: 5
passwordLockout: on
passwordMaxFailure: 4
passwordResetDuration: 600
passwordLockoutDuration: 3600
passwordCheckSyntax: on
passwordMinLength: 6
passwordMinAlphas: 1
passwordMinCategories: 1
passwordMinDigits: 1
passwordMinLowers: 1
passwordMinUppers: 1
passwordMinSpecials: 0
passwordMin8bit: 0
passwordMaxRepeats: 0
passwordMinTokenLength: 3
passwordStorageScheme: SSHA

#Here is my newly created user with the test policy applied to him
>>ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" "cn=test-user-account"
dn: uid=test-user-account,ou=people,dc=my-domain,dc=com
description: accountHasItsOwnPwdPolicy
objectClass: posixAccount
objectClass: shadowAccount
objectClass: account
objectClass: top
uid: test-user-account
cn: test-user-account
uidNumber: 2853
gidNumber: 2600
gecos: User LDAP Test
homeDirectory: /home/test-user-account
loginShell: /bin/tcsh

>>ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" "cn=test-user-account" pwdPolicySubentry
dn: uid=test-user-account,ou=people,dc=my-domain,dc=com
pwdPolicySubentry: cn=TestNewPolicy,cn=nsPwPolicyContainer,ou=people,dc=my-domain,dc=com

>>ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" "cn=test-user-account" passwordExpirationtime
dn: uid=test-user-account,ou=people,dc=my-domain,dc=com
passwordExpirationtime: 20131126160316Z


Here is my Solaris-based PAM file: /etc/pam.conf 
#ident  "@(#)pam.conf   1.31    07/12/07 SMI"
#
# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_cred.so.1
login   auth required           pam_dial_auth.so.1
login   auth binding            pam_unix_auth.so.1 server_policy
login   auth required           pam_ldap.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_cred.so.1
rlogin  auth binding            pam_unix_auth.so.1 server_policy
rlogin  auth required           pam_ldap.so.1
#
# Kerberized rlogin service
#
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh     auth sufficient       pam_rhosts_auth.so.1
rsh     auth required         pam_unix_cred.so.1
rsh     auth binding          pam_unix_auth.so.1 server_policy
rsh     auth required         pam_ldap.so.1
#
# Kerberized rsh service
#
#
# Kerberized telnet service
#
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth requisite        pam_authtok_get.so.1
ppp     auth required         pam_dhkeys.so.1
ppp     auth required         pam_dial_auth.so.1
ppp     auth binding          pam_unix_auth.so.1 server_policy
ppp     auth required         pam_ldap.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
#
other   auth requisite        pam_authtok_get.so.1
other   auth required         pam_dhkeys.so.1
other   auth required         pam_unix_cred.so.1
other   auth binding          pam_unix_auth.so.1 server_policy
other   auth required         pam_ldap.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd  auth binding          pam_passwd_auth.so.1 server_policy
passwd  auth required         pam_ldap.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account requisite     pam_roles.so.1
other   account binding       pam_unix_account.so.1 server_policy
other   account required     pam_list.so.1 allow=/etc/user.allow
other   account required      pam_ldap.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session required        pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1 server_policy
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#
ppp     auth required           pam_unix_cred.so.1
ppp     auth required           pam_unix_auth.so.1
krlogin auth required           pam_unix_cred.so.1
krlogin auth required           pam_krb5.so.1
krsh    auth required           pam_unix_cred.so.1
krsh    auth required           pam_krb5.so.1
ktelnet auth required           pam_unix_cred.so.1
ktelnet auth required           pam_krb5.so.1















Here is my Solaris-based NSSWITCH file:  /etc/nsswitch.conf
#
# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# ident "@(#)nsswitch.ldap      1.10    06/05/03 SMI"

#
# /etc/nsswitch.ldap:
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP in conjunction with files.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.

# LDAP service requires that svc:/network/ldap/client:default be enabled
# and online.

# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
passwd:     files ldap
group:      files ldap

# consult /etc "files" only if ldap is down.
hosts:      files dns

# Note that IPv4 addresses are searched for in all of the ipnodes databases
# before searching the hosts databases.
ipnodes:    files dns

networks:   files
protocols:  files
rpc:        files
ethers:     files
netmasks:   files
bootparams: files
publickey:  files

netgroup:   ldap

automount:  files ldap
aliases:    files ldap

# for efficient getservbyname() avoid ldap
services:   files ldap

printers:   user files ldap

auth_attr:  files ldap
prof_attr:  files ldap

project:    files ldap

tnrhtp:     files ldap
tnrhdb:     files ldap

owner@xxxxxxxxxxxxxxxxxxxxxxx.

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users