Your message dated Wed, 25 Mar 2020 11:23:53 -0700
with message-id <20200325182353.gb...@t570.nardis.ca>
and subject line Re: Bug#883838: slapd: Overlay ppolicy: When 
pwdFailureCountInterval (!=0) is reached the password failures are not purged.
has caused the Debian Bug report #883838,
regarding slapd: Overlay ppolicy: When pwdFailureCountInterval (!=0) is reached 
the password failures are not purged.
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
883838: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883838
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: slapd
Version: 2.4.40+dfsg-1+deb8u3
Severity: normal
Tags: patch

Dear Maintainer,

in the overlay ppolicy you can use pwdFailureCountInterval attribute. The 
documentation says "pwdFailureCountInterval attribute holds the number of 
seconds after which the password failures are purged from the failure counter, 
even though no successful authentication occurred.
If pwdFailureCountInterval attribute is not present, or if its value is 0, the 
failure counter is only reset by a successful authentication."

But that doesn't work. I've checked the code for overlay ppolicy and found this 
regarding pwdFailureCountInterval:

if ((a = attr_find( e->e_attrs, ad_pwdFailureTime )) != NULL) {
        for(i=0; a->a_nvals[i].bv_val; i++) {

                /*
                 * If the interval is 0, then failures
                 * stay on the record until explicitly
                 * reset by successful authentication.
                 */
                if (ppb->pp.pwdFailureCountInterval == 0) {
                        fc++;
                } else if (now <=
                        parse_time(a->a_nvals[i].bv_val) +
                        ppb->pp.pwdFailureCountInterval) {
                                        fc++;
                }
                /*
                 * We only count those failures
                 * which are not due to expire.
                 */
        }
}

There you can see that when pwdFailureCountInterval is reached failure counter 
is only stopped and not resetted. The pwdFailureTime should also be purged.
The password failure counter is only resetted when an successful authentication 
is made.

I suggest the following changes to the code:

if ((a = attr_find( e->e_attrs, ad_pwdFailureTime )) != NULL) {
        for(i=0; a->a_nvals[i].bv_val; i++) {

                /*
                 * If the interval is 0, then failures
                 * stay on the record until explicitly
                 * reset by successful authentication
                 * or when pwdFailureCountInterval has been reached.
                 */
                if (ppb->pp.pwdFailureCountInterval == 0) {
                        fc++;
                } else if (now <=
                        parse_time(a->a_nvals[i].bv_val) +
                        ppb->pp.pwdFailureCountInterval) {
                                        fc++;
                }
                /*
                 * We only count those failures
                 * which are not due to expire.
                 */
                else { /* pwdFailureCountInterval reached: Purge 
pwdFailureTimes and reset password failure counter */
                        if ( attr_find( e->e_attrs, ad_pwdFailureTime )) {
                                m = ch_calloc( sizeof(Modifications), 1 );
                                m->sml_op = LDAP_MOD_DELETE;
                                m->sml_flags = 0;
                                m->sml_type = ad_pwdFailureTime->ad_cname;
                                m->sml_desc = ad_pwdFailureTime;
                                m->sml_next = mod;
                                mod = m;
                        }
                        fc = 0;
                }
        }
}

/Regards Mats

-- System Information:
Debian Release: 8.9
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: i386 (i686)

Kernel: Linux 3.16.0-4-686-pae (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=locale: Cannot set 
LC_ALL to default locale: No such file or directory
UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages slapd depends on:
ii  adduser                     3.113+nmu3
ii  coreutils                   8.23-4
ii  debconf [debconf-2.0]       1.5.56+deb8u1
ii  libc6                       2.19-18+deb8u10
ii  libdb5.3                    5.3.28-9
ii  libgnutls-deb0-28           3.3.8-6+deb8u7
ii  libldap-2.4-2               2.4.40+dfsg-1+deb8u3
ii  libltdl7                    2.4.2-1.11+b1
ii  libodbc1                    2.3.1-3
ii  libperl5.20                 5.20.2-3+deb8u9
ii  libsasl2-2                  2.1.26.dfsg1-13+deb8u1
ii  libslp1                     1.2.1-10+deb8u1
ii  libwrap0                    7.6.q-25
ii  lsb-base                    4.1+Debian13+nmu1
ii  multiarch-support           2.19-18+deb8u10
ii  perl [libmime-base64-perl]  5.20.2-3+deb8u9
ii  psmisc                      22.21-2

Versions of packages slapd recommends:
ii  libsasl2-modules  2.1.26.dfsg1-13+deb8u1

Versions of packages slapd suggests:
ii  ldap-utils                                             2.4.40+dfsg-1+deb8u3
pn  libsasl2-modules-gssapi-mit | libsasl2-modules-gssapi  <none>

-- Configuration Files:
/etc/default/slapd changed:
SLAPD_CONF=
SLAPD_USER="openldap"
SLAPD_GROUP="openldap"
SLAPD_PIDFILE=
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
SLAPD_OPTIONS=""

/etc/ldap/schema/ppolicy.ldif changed:
dn: cn=ppolicy,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: ppolicy
olcAttributeTypes: {0}( 1.3.6.1.4.1.42.2.27.8.1.1 NAME 'pwdAttribute' EQUALITY
  objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
olcAttributeTypes: {1}( 1.3.6.1.4.1.42.2.27.8.1.2 NAME 'pwdMinAge' EQUALITY in
 tegerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
  SINGLE-VALUE )
olcAttributeTypes: {2}( 1.3.6.1.4.1.42.2.27.8.1.3 NAME 'pwdMaxAge' EQUALITY in
 tegerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
  SINGLE-VALUE )
olcAttributeTypes: {3}( 1.3.6.1.4.1.42.2.27.8.1.4 NAME 'pwdInHistory' EQUALITY
  integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1
 .27 SINGLE-VALUE )
olcAttributeTypes: {4}( 1.3.6.1.4.1.42.2.27.8.1.5 NAME 'pwdCheckQuality' EQUAL
 ITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.12
 1.1.27 SINGLE-VALUE )
olcAttributeTypes: {5}( 1.3.6.1.4.1.42.2.27.8.1.6 NAME 'pwdMinLength' EQUALITY
  integerMatch ORDERING integerOrderingMatch  SYNTAX 1.3.6.1.4.1.1466.115.121.
 1.27 SINGLE-VALUE )
olcAttributeTypes: {6}( 1.3.6.1.4.1.42.2.27.8.1.7 NAME 'pwdExpireWarning' EQUA
 LITY integerMatch ORDERING integerOrderingMatch  SYNTAX 1.3.6.1.4.1.1466.115.
 121.1.27 SINGLE-VALUE )
olcAttributeTypes: {7}( 1.3.6.1.4.1.42.2.27.8.1.8 NAME 'pwdGraceAuthNLimit' EQ
 UALITY integerMatch ORDERING integerOrderingMatch  SYNTAX 1.3.6.1.4.1.1466.11
 5.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {8}( 1.3.6.1.4.1.42.2.27.8.1.9 NAME 'pwdLockout' EQUALITY b
 ooleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {9}( 1.3.6.1.4.1.42.2.27.8.1.10 NAME 'pwdLockoutDuration' E
 QUALITY integerMatch ORDERING integerOrderingMatch  SYNTAX 1.3.6.1.4.1.1466.1
 15.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {10}( 1.3.6.1.4.1.42.2.27.8.1.11 NAME 'pwdMaxFailure' EQUAL
 ITY integerMatch ORDERING integerOrderingMatch  SYNTAX 1.3.6.1.4.1.1466.115.1
 21.1.27 SINGLE-VALUE )
olcAttributeTypes: {11}( 1.3.6.1.4.1.42.2.27.8.1.12 NAME 'pwdFailureCountInter
 val' EQUALITY integerMatch ORDERING integerOrderingMatch  SYNTAX 1.3.6.1.4.1.
 1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {13}( 1.3.6.1.4.1.42.2.27.8.1.14 NAME 'pwdAllowUserChange' 
 EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {14}( 1.3.6.1.4.1.42.2.27.8.1.15 NAME 'pwdSafeModify' EQUAL
 ITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {15}( 1.3.6.1.4.1.4754.1.99.1 NAME 'pwdCheckModule' DESC 'L
 oadable module that instantiates "check_password() function' EQUALITY caseExa
 ctIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcObjectClasses: {0}( 1.3.6.1.4.1.4754.2.99.1 NAME 'pwdPolicyChecker' SUP top
  AUXILIARY MAY pwdCheckModule )
olcObjectClasses: {1}( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP top AUXI
 LIARY MUST pwdAttribute MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheck
 Quality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $
  pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ pwdMustChange
  $ pwdAllowUserChange $ pwdSafeModify ) )


-- debconf information:
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
        LANGUAGE = "en_US:en",
        LC_ALL = (unset),
        LC_TIME = "sv_SE.UTF-8",
        LC_MONETARY = "sv_SE.UTF-8",
        LC_ADDRESS = "sv_SE.UTF-8",
        LC_TELEPHONE = "sv_SE.UTF-8",
        LC_NAME = "sv_SE.UTF-8",
        LC_MEASUREMENT = "sv_SE.UTF-8",
        LC_IDENTIFICATION = "sv_SE.UTF-8",
        LC_NUMERIC = "sv_SE.UTF-8",
        LC_PAPER = "sv_SE.UTF-8",
        LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to a fallback locale ("en_US.UTF-8").
locale: Cannot set LC_ALL to default locale: No such file or directory
* slapd/password2: (password omitted)
  slapd/internal/adminpw: (password omitted)
* slapd/password1: (password omitted)
  slapd/internal/generated_adminpw: (password omitted)
  slapd/dump_database_destdir: /var/backups/slapd-VERSION
  slapd/upgrade_slapcat_failure:
* slapd/domain: irf.se
* shared/organization: irf
* slapd/no_configuration: false
* slapd/unsafe_selfwrite_acl:
  slapd/dump_database: when needed
  slapd/password_mismatch:
* slapd/backend: BDB
* slapd/purge_database: true
* slapd/move_old_database: true
  slapd/invalid_config: true
* slapd/allow_ldap_v2: true

--- End Message ---
--- Begin Message ---
Closing for now, but feel free to reopen if you believe there is still an 
actual bug here. Thanks.

--- End Message ---

Reply via email to