[Pkg-openldap-devel] Bug#883838: slapd: Overlay ppolicy: When pwdFailureCountInterval (!=0) is reached the password failures are not purged.
Mats Luspa
matsl at irf.se
Fri Dec 8 07:39:32 UTC 2017
Package: slapd
Version: 2.4.40+dfsg-1+deb8u3
Severity: normal
Tags: patch
Dear Maintainer,
in the overlay ppolicy you can use pwdFailureCountInterval attribute. The documentation says "pwdFailureCountInterval attribute holds the number of seconds after which the password failures are purged from the failure counter, even though no successful authentication occurred.
If pwdFailureCountInterval attribute is not present, or if its value is 0, the failure counter is only reset by a successful authentication."
But that doesn't work. I've checked the code for overlay ppolicy and found this regarding pwdFailureCountInterval:
if ((a = attr_find( e->e_attrs, ad_pwdFailureTime )) != NULL) {
for(i=0; a->a_nvals[i].bv_val; i++) {
/*
* If the interval is 0, then failures
* stay on the record until explicitly
* reset by successful authentication.
*/
if (ppb->pp.pwdFailureCountInterval == 0) {
fc++;
} else if (now <=
parse_time(a->a_nvals[i].bv_val) +
ppb->pp.pwdFailureCountInterval) {
fc++;
}
/*
* We only count those failures
* which are not due to expire.
*/
}
}
There you can see that when pwdFailureCountInterval is reached failure counter is only stopped and not resetted. The pwdFailureTime should also be purged.
The password failure counter is only resetted when an successful authentication is made.
I suggest the following changes to the code:
if ((a = attr_find( e->e_attrs, ad_pwdFailureTime )) != NULL) {
for(i=0; a->a_nvals[i].bv_val; i++) {
/*
* If the interval is 0, then failures
* stay on the record until explicitly
* reset by successful authentication
* or when pwdFailureCountInterval has been reached.
*/
if (ppb->pp.pwdFailureCountInterval == 0) {
fc++;
} else if (now <=
parse_time(a->a_nvals[i].bv_val) +
ppb->pp.pwdFailureCountInterval) {
fc++;
}
/*
* We only count those failures
* which are not due to expire.
*/
else { /* pwdFailureCountInterval reached: Purge pwdFailureTimes and reset password failure counter */
if ( attr_find( e->e_attrs, ad_pwdFailureTime )) {
m = ch_calloc( sizeof(Modifications), 1 );
m->sml_op = LDAP_MOD_DELETE;
m->sml_flags = 0;
m->sml_type = ad_pwdFailureTime->ad_cname;
m->sml_desc = ad_pwdFailureTime;
m->sml_next = mod;
mod = m;
}
fc = 0;
}
}
}
/Regards Mats
-- System Information:
Debian Release: 8.9
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: i386 (i686)
Kernel: Linux 3.16.0-4-686-pae (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=locale: Cannot set LC_ALL to default locale: No such file or directory
UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages slapd depends on:
ii adduser 3.113+nmu3
ii coreutils 8.23-4
ii debconf [debconf-2.0] 1.5.56+deb8u1
ii libc6 2.19-18+deb8u10
ii libdb5.3 5.3.28-9
ii libgnutls-deb0-28 3.3.8-6+deb8u7
ii libldap-2.4-2 2.4.40+dfsg-1+deb8u3
ii libltdl7 2.4.2-1.11+b1
ii libodbc1 2.3.1-3
ii libperl5.20 5.20.2-3+deb8u9
ii libsasl2-2 2.1.26.dfsg1-13+deb8u1
ii libslp1 1.2.1-10+deb8u1
ii libwrap0 7.6.q-25
ii lsb-base 4.1+Debian13+nmu1
ii multiarch-support 2.19-18+deb8u10
ii perl [libmime-base64-perl] 5.20.2-3+deb8u9
ii psmisc 22.21-2
Versions of packages slapd recommends:
ii libsasl2-modules 2.1.26.dfsg1-13+deb8u1
Versions of packages slapd suggests:
ii ldap-utils 2.4.40+dfsg-1+deb8u3
pn libsasl2-modules-gssapi-mit | libsasl2-modules-gssapi <none>
-- Configuration Files:
/etc/default/slapd changed:
SLAPD_CONF=
SLAPD_USER="openldap"
SLAPD_GROUP="openldap"
SLAPD_PIDFILE=
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
SLAPD_OPTIONS=""
/etc/ldap/schema/ppolicy.ldif changed:
dn: cn=ppolicy,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: ppolicy
olcAttributeTypes: {0}( 1.3.6.1.4.1.42.2.27.8.1.1 NAME 'pwdAttribute' EQUALITY
objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
olcAttributeTypes: {1}( 1.3.6.1.4.1.42.2.27.8.1.2 NAME 'pwdMinAge' EQUALITY in
tegerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
olcAttributeTypes: {2}( 1.3.6.1.4.1.42.2.27.8.1.3 NAME 'pwdMaxAge' EQUALITY in
tegerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
olcAttributeTypes: {3}( 1.3.6.1.4.1.42.2.27.8.1.4 NAME 'pwdInHistory' EQUALITY
integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1
.27 SINGLE-VALUE )
olcAttributeTypes: {4}( 1.3.6.1.4.1.42.2.27.8.1.5 NAME 'pwdCheckQuality' EQUAL
ITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.12
1.1.27 SINGLE-VALUE )
olcAttributeTypes: {5}( 1.3.6.1.4.1.42.2.27.8.1.6 NAME 'pwdMinLength' EQUALITY
integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.
1.27 SINGLE-VALUE )
olcAttributeTypes: {6}( 1.3.6.1.4.1.42.2.27.8.1.7 NAME 'pwdExpireWarning' EQUA
LITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.
121.1.27 SINGLE-VALUE )
olcAttributeTypes: {7}( 1.3.6.1.4.1.42.2.27.8.1.8 NAME 'pwdGraceAuthNLimit' EQ
UALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.11
5.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {8}( 1.3.6.1.4.1.42.2.27.8.1.9 NAME 'pwdLockout' EQUALITY b
ooleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {9}( 1.3.6.1.4.1.42.2.27.8.1.10 NAME 'pwdLockoutDuration' E
QUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.1
15.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {10}( 1.3.6.1.4.1.42.2.27.8.1.11 NAME 'pwdMaxFailure' EQUAL
ITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.1
21.1.27 SINGLE-VALUE )
olcAttributeTypes: {11}( 1.3.6.1.4.1.42.2.27.8.1.12 NAME 'pwdFailureCountInter
val' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.
1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {13}( 1.3.6.1.4.1.42.2.27.8.1.14 NAME 'pwdAllowUserChange'
EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {14}( 1.3.6.1.4.1.42.2.27.8.1.15 NAME 'pwdSafeModify' EQUAL
ITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {15}( 1.3.6.1.4.1.4754.1.99.1 NAME 'pwdCheckModule' DESC 'L
oadable module that instantiates "check_password() function' EQUALITY caseExa
ctIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcObjectClasses: {0}( 1.3.6.1.4.1.4754.2.99.1 NAME 'pwdPolicyChecker' SUP top
AUXILIARY MAY pwdCheckModule )
olcObjectClasses: {1}( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP top AUXI
LIARY MUST pwdAttribute MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheck
Quality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $
pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ pwdMustChange
$ pwdAllowUserChange $ pwdSafeModify ) )
-- debconf information:
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = "en_US:en",
LC_ALL = (unset),
LC_TIME = "sv_SE.UTF-8",
LC_MONETARY = "sv_SE.UTF-8",
LC_ADDRESS = "sv_SE.UTF-8",
LC_TELEPHONE = "sv_SE.UTF-8",
LC_NAME = "sv_SE.UTF-8",
LC_MEASUREMENT = "sv_SE.UTF-8",
LC_IDENTIFICATION = "sv_SE.UTF-8",
LC_NUMERIC = "sv_SE.UTF-8",
LC_PAPER = "sv_SE.UTF-8",
LANG = "en_US.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to a fallback locale ("en_US.UTF-8").
locale: Cannot set LC_ALL to default locale: No such file or directory
* slapd/password2: (password omitted)
slapd/internal/adminpw: (password omitted)
* slapd/password1: (password omitted)
slapd/internal/generated_adminpw: (password omitted)
slapd/dump_database_destdir: /var/backups/slapd-VERSION
slapd/upgrade_slapcat_failure:
* slapd/domain: irf.se
* shared/organization: irf
* slapd/no_configuration: false
* slapd/unsafe_selfwrite_acl:
slapd/dump_database: when needed
slapd/password_mismatch:
* slapd/backend: BDB
* slapd/purge_database: true
* slapd/move_old_database: true
slapd/invalid_config: true
* slapd/allow_ldap_v2: true
More information about the Pkg-openldap-devel
mailing list