On 03/15/2013 04:42 PM, Rob Crittenden wrote:
> Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On 03/11/2013 10:07 PM, Rob Crittenden wrote:
>>>> Fixed a number of issues applying password policy against LDAP binds.
>>>> See patch
>>>> for details.
>>>>
>>>> rob
>>>>
>>>
>>> I see some issues with this fix:
>>>
>>> 1) Shouldn't group password policy serve only as an override to the main
>>> policy? I.e. if I have this policy:
>>>
>>> # ipa pwpolicy-show test
>>>    Group: test
>>>    Priority: 10
>>>    Max failures: 2
>>>
>>> We should still follow settings other than "Max failures" configured in
>>> global policy, right? At least the Kerberos seem to do it. I think we
>>> should be consistent in this case. Now, other values just seem to be
>>> zero.
>>
>> There should be only one policy. It isn't supposed to merge policies
>> together (there is only one krbPwdPolicyReference per principal).

That's a good point.

>>
>> How is the KDC acting differently?

For example, if you set only maximal number of bad password guesses, it does
not allow any more (user fbar1 is a member of test group):

# ipa pwpolicy-mod test --maxfail 3
  Group: test
  Priority: 10
  Max failures: 3

# kinit fbar1
Password for fb...@idm.lab.bos.redhat.com:
kinit: Password incorrect while getting initial credentials
# kinit fbar1
Password for fb...@idm.lab.bos.redhat.com:
kinit: Password incorrect while getting initial credentials
# kinit fbar1
Password for fb...@idm.lab.bos.redhat.com:
kinit: Password incorrect while getting initial credentials
# kinit fbar1
kinit: Clients credentials have been revoked while getting initial credentials

But LDAP binds are still allowed

# ldapsearch -h localhost -D
uid=fbar1,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com -x -w foo
-s base -b ""
ldap_bind: Invalid credentials (49)

I think this is just caused by different processing of
krbpwdfailurecountinterval in ipa-kdb and in bind preop (when it is not set,
max auth tries checks are pretty much disabled).

>>
>>> I think we will need to fix both the pre-op and the post-op to make this
>>> working really consistently.
>>>
>>> 2) The lockout post-op still counts failed logins even though we are in
>>> lockout time, is this expected? It is another point if inconsistency
>>> with Kerberos auth. It leaves user's krbloginfailedcount stay on "Max
>>> failures".
>>
>> Ok.
>>
>>>
>>> 3) Sometimes, I get into a state when I lockout a new user with Kerberos
>>> and then wait some time until the lockout time passes (no admin unlock),
>>> I am able to run as many LDAP binds as I want.
>>
>> Can you clarify? Successful or unsuccessful binds?

Unsuccessful binds. I will try to reproduce it again when you fix the crash, it
is hard to investigate it with this crash around.

>>
>>> This is all I found so far. Honza is also reviewing it, so I will let
>>> him post hist findings too.
>>>
>>> Martin
> 
> Here is an updated patch to not increment past the max failures on LDAP binds.

The new patch now causes 389-ds to crash with SIGSEGV if I try to bind as a
user with no group policy assigned (Stacktrace attached).

Martin

> 
> I couldn't reproduce your 3rd point.
> 
> rob
> 

Thread 1 (Thread 0x7fdde4ff9700 (LWP 7617)):
#0  __strlen_sse2 () at ../sysdeps/x86_64/strlen.S:31
No locals.
#1  0x00007fddfe4b15bc in slapi_mods_add_string (smods=0x7fddc8001c70, 
modtype=modtype@entry=1, type=type@entry=0x7fddf4b9cf21 "krbLastFailedAuth", 
val=0x0) at ldap/servers/slapd/modutil.c:370
No locals.
#2  0x00007fddf4b9c833 in ipalockout_postop (pb=0x1cad1b0) at ipa_lockout.c:544
        dn = 0x7fddc8000dd0 
"uid=fbar1b,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com"
        policy_dn = 0x7fddc8005390 
"cn=test,cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com"
        target_entry = 0x7fddc8008620
        policy_entry = 0x7fddc80026e0
        sdn = 0x7fddc80018c0
        pbtm = 0x0
        smods = 0x0
        objectclass = 0x0
        errstr = 0x0
        ldrc = <optimized out>
        rc = 49
        ret = 0
        failedcount = 1
        failedcountstr = 
"1\000�\001\000\000\000\000\200$\224\001\000\000\000\000�\233�\001\000\000\000\000�Cz\001\000\000\000"
        failed_bind = 1
        max_fail = 3
        utctime = {tm_sec = 0, tm_min = 0, tm_hour = -453022896, tm_mday = 
32733, tm_mon = -453022936, tm_year = 32733, tm_wday = 0, tm_yday = 0, tm_isdst 
= 26485888, tm_gmtoff = 140591433548788, tm_zone = 0x17a4488 ""}
        time_now = 1363608767
        timestr = "34633-453022935"
        failcnt_interval = <optimized out>
        lastfail = 0x0
        tries = 0
        failure = 1
        actual_type_name = 0x7fddc8007c20 "krbPwdPolicyReference"
        attr_free_flags = 2
        values = 0x7fddc8008560
        __func__ = "ipalockout_postop"
#3  0x00007fddfe4bd8e1 in plugin_call_func (list=0x17a4b20, 
operation=operation@entry=501, pb=pb@entry=0x1cad1b0, 
call_one=call_one@entry=0) at ldap/servers/slapd/plugin.c:1453
        n = <optimized out>
        func = 0x7fddf4b9c280 <ipalockout_postop>
        rc = <optimized out>
        return_value = 0
        count = 1
#4  0x00007fddfe4bdb07 in plugin_call_list (pb=0x1cad1b0, operation=501, 
list=<optimized out>) at ldap/servers/slapd/plugin.c:1415
No locals.
#5  plugin_call_plugins (pb=pb@entry=0x1cad1b0, 
whichfunction=whichfunction@entry=501) at ldap/servers/slapd/plugin.c:398
        p = <optimized out>
        plugin_list_number = 2
        rc = 0
        do_op = <optimized out>
#6  0x000000000041172e in do_bind (pb=0x1cad1b0) at 
ldap/servers/slapd/bind.c:818
        ber = <optimized out>
        err = <optimized out>
        isroot = 0
        method = 128
        version = 3
        auth_response_requested = 0
        pw_response_requested = 0
        rawdn = 0x7fddc8000d50 
"uid=fbar1b,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com"
        dn = <optimized out>
        saslmech = 0x0
        cred = {bv_len = 3, bv_val = 0x7fddc8000ea0 "foo"}
        be = 0x191e730
        ber_rc = <optimized out>
        rc = 2
        sdn = 0x7fddc8000da0
        referral = 0x0
        errorbuf = '\000' <repeats 7080 times>, 
"�6t��\177\000\000\000\000\000\000\000\000\000\000\033\237ֽ\000\000\000\000 
\212���\177\000\000\020\000\000\000\000\000\000\000!\000\000\000\000\000\000\000�>t��\177\000\000\033\000\000\000\000\000\000\000\000\212���\177\000\000|Z�\002\000\000\000\000�6t��\177\000\000\034\071\n��\177\000\000\220u\202\r\000\000\000\000p\212���\177\000\000\020\000\000\000\000\000\000\000!\000\000\000\000\000\000\000�>t��\177\000\000\020\000\000\000\000\000\000\000P\212���\177\000\000�\t6\000\000\000\000\000�<\n��\177\000\000�+\n��\177\000\000\032m@\000\000\000\000\000\t6\000\000\000\000\000\000"...
        supported = <optimized out>
        pmech = <optimized out>
        authtypebuf = '\000' <repeats 255 times>
        bind_target_entry = 0x7fddc8001c90
        auto_bind = <optimized out>
        minssf = <optimized out>
        minssf_exclude_rootdse = <optimized out>
#7  0x0000000000417113 in connection_dispatch_operation (pb=<optimized out>, 
op=0x1cad4b0, conn=0x7fddec156e10) at ldap/servers/slapd/connection.c:568
        minssf = 0
        minssf_exclude_rootdse = <optimized out>
#8  connection_threadmain () at ldap/servers/slapd/connection.c:2345
        is_timedout = 0
        curtime = <optimized out>
        pb = 0x1cad1b0
        interval = 10000
        conn = 0x7fddec156e10
        op = 0x1cad4b0
        tag = 96
        need_wakeup = 0
        need_conn_release = <optimized out>
        thread_turbo_flag = 0
        ret = <optimized out>
        more_data = 0
        replication_connection = <optimized out>
        doshutdown = 0
#9  0x00007fddfcabce23 in _pt_root (arg=0x1ca5020) at 
../../../mozilla/nsprpub/pr/src/pthreads/ptthread.c:156
        thred = 0x1ca5020
        detached = 1
#10 0x00007fddfc45fd15 in start_thread (arg=0x7fdde4ff9700) at 
pthread_create.c:308
        __res = <optimized out>
        pd = 0x7fdde4ff9700
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140591006455552, 
-7801243002481506053, 1, 140591435722752, 140591006455552, 0, 
7784369896572750075, 7784351394420001019}, mask_was_saved = 0}}, priv = {pad = 
{0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = 0
        pagesize_m1 = <optimized out>
        sp = <optimized out>
        freesize = <optimized out>
#11 0x00007fddfc19246d in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:114
No locals.
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to