Re: [389-users] Password Failure Lockout doesn't seem to work
These issues are happening on a Solaris Sparc server, most of our infrastructure is Solaris Sparc, with some Solaris X86 servers. The Solaris equivalent of NSCD called svc:/system/name-service-cache:default is running. I am not familiar with authconfig, I can look for the Solaris equivalent to confirm, but I do know that the name-service-cache does cache some account information, but regularly refreshes it. I can also confirm the accounts having the issue are not local accounts. On 12/11/2013 1:41 PM, Justin Edmands wrote: just to think outside of what you have already mentioned: client nscd service running? User authconfig to show if you have caching and local authorization settings: authconfig-tui change things on a test client and then tail the /var/log/slapd/servername/access (and other) logs while grepping for the user: tail -f /var/log/slapd/dirsrv1.blah.blah/access | grep bobby or even tail -f /var/log/slapd/dirsrv1.blah.blah/* | grep bobby On Wed, Dec 11, 2013 at 1:35 PM, JLPicard jlpicar...@hotmail.com mailto:jlpicar...@hotmail.com wrote: Yes, It shows up in the dse.ldif file: root@my-ldapHost01% grep nsslapd-pwpolicy-local dse.ldif nsslapd-pwpolicy-local: on It also shows up on ldapsearch: root@my-ldapHost01% ldapsearch -x -ZZ -LLL -W -h my-ldapHost01.my-domain.com http://my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D 'cn=directory manager' -b 'cn=config' -s base 'objectClass=*' 'nsslapd-pwpolicy-local' Enter LDAP Password: dn: cn=config nsslapd-pwpolicy-local: on On 11/26/2013 9:00 AM, Ludwig Krispenz wrote: Hi, did you set: nsslapd-pwpolicy-local: on in cn=config ? Ludwig On 11/26/2013 02:13 PM, JLPicard wrote: Yes, I can, after 8 consecutive failed authentications, the account can still successfully query the DS with the correct password. % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com http://my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com http://my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com http://my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com http://my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com http://my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com http://my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com http://my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com http://my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com http://my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w goodPwrd cn=test-user-account dn: uid=test-user-account,ou=people,dc=my-domain,dc=com description: accountHasItsOwnPwdPolicy objectClass: posixAccount objectClass: shadowAccount objectClass: account objectClass: top
Re: [389-users] Password Failure Lockout doesn't seem to work
Yes, It shows up in the dse.ldif file: root@my-ldapHost01% grep nsslapd-pwpolicy-local dse.ldif nsslapd-pwpolicy-local: on It also shows up on ldapsearch: root@my-ldapHost01% ldapsearch -x -ZZ -LLL -W -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D 'cn=directory manager' -b 'cn=config' -s base 'objectClass=*' 'nsslapd-pwpolicy-local' Enter LDAP Password: dn: cn=config nsslapd-pwpolicy-local: on On 11/26/2013 9:00 AM, Ludwig Krispenz wrote: Hi, did you set: nsslapd-pwpolicy-local: on in cn=config ? Ludwig On 11/26/2013 02:13 PM, JLPicard wrote: Yes, I can, after 8 consecutive failed authentications, the account can still successfully query the DS with the correct password. % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w goodPwrd cn=test-user-account dn: uid=test-user-account,ou=people,dc=my-domain,dc=com description: accountHasItsOwnPwdPolicy objectClass: posixAccount objectClass: shadowAccount objectClass: account objectClass: top uid: test-user-account cn: test-user-account uidNumber: 2853 gidNumber: 2600 gecos: LDAP Test homeDirectory: /home/test-user-account loginShell: /bin/tcsh On 11/25/2013 5:49 PM, 389-users-requ...@lists.fedoraproject.org wrote: From: Rich Megginson rmegg...@redhat.com To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.org Cc: JLPicard jlpicar...@hotmail.com Subject: Re: [389-users] Password Failure Lockout doesn't seem to work Message-ID: 5293d3fc.2090...@redhat.com Content-Type: text/plain; charset=utf-8; Format=flowed On 11/25/2013 03:33 PM, JLPicard wrote: Hi, I am testing out 389_ds_base, version =1.2.11.15,REV=2013.01.31 running on mixed Solaris 10 servers (SPARC and X86) sourced from http://www.opencsw.org/packages/CSW389-ds-base in multi-master mode with 4 servers that is primarily used for authentication and user/group/netgroup management. Most of the Password policy components seem to work as they should, but password failure account lockout doesn't appear to engage after X-failed attempts. After creating a new account, testing a successful login, after 5+ failed logins with bad passwords, I can still login after I would expect to be locked out. I even created a new password policy and applied it to this user and it still doesn't lock him out after 5+ failed logins with bad passwords. Can you reproduce the issue with ldapsearch? ldapsearch ... -D uid=myuser, -w badpassword ... repeat 5 times -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Password Failure Lockout doesn't seem to work
Yes, I can, after 8 consecutive failed authentications, the account can still successfully query the DS with the correct password. % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w badPword cn=test-user-account ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com -D uid=test-user-account,ou=people,dc=my-domain,dc=com -w goodPwrd cn=test-user-account dn: uid=test-user-account,ou=people,dc=my-domain,dc=com description: accountHasItsOwnPwdPolicy objectClass: posixAccount objectClass: shadowAccount objectClass: account objectClass: top uid: test-user-account cn: test-user-account uidNumber: 2853 gidNumber: 2600 gecos: LDAP Test homeDirectory: /home/test-user-account loginShell: /bin/tcsh On 11/25/2013 5:49 PM, 389-users-requ...@lists.fedoraproject.org wrote: From: Rich Megginson rmegg...@redhat.com To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.org Cc: JLPicard jlpicar...@hotmail.com Subject: Re: [389-users] Password Failure Lockout doesn't seem to work Message-ID: 5293d3fc.2090...@redhat.com Content-Type: text/plain; charset=utf-8; Format=flowed On 11/25/2013 03:33 PM, JLPicard wrote: Hi, I am testing out 389_ds_base, version =1.2.11.15,REV=2013.01.31 running on mixed Solaris 10 servers (SPARC and X86) sourced from http://www.opencsw.org/packages/CSW389-ds-base in multi-master mode with 4 servers that is primarily used for authentication and user/group/netgroup management. Most of the Password policy components seem to work as they should, but password failure account lockout doesn't appear to engage after X-failed attempts. After creating a new account, testing a successful login, after 5+ failed logins with bad passwords, I can still login after I would expect to be locked out. I even created a new password policy and applied it to this user and it still doesn't lock him out after 5+ failed logins with bad passwords. Can you reproduce the issue with ldapsearch? ldapsearch ... -D uid=myuser, -w badpassword ... repeat 5 times -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Password Failure Lockout doesn't seem to work
Hi, I am testing out 389_ds_base, version =1.2.11.15,REV=2013.01.31 running on mixed Solaris 10 servers (SPARC and X86) sourced from http://www.opencsw.org/packages/CSW389-ds-base in multi-master mode with 4 servers that is primarily used for authentication and user/group/netgroup management. Most of the Password policy components seem to work as they should, but password failure account lockout doesn't appear to engage after X-failed attempts. After creating a new account, testing a successful login, after 5+ failed logins with bad passwords, I can still login after I would expect to be locked out. I even created a new password policy and applied it to this user and it still doesn't lock him out after 5+ failed logins with bad passwords. The client server I am trying to login to is a Solaris 10 Sparc OS that successfully integrates into LDAP for authentication and user/group/netgroup management. Can someone recommend some steps to determine where to start attacking this issue? I assume this is an 389DS issue, but I provided a copy of our /etc/pam.conf and /etc/nsswitch.conf in case its a client-side configuration issues. I have provided some quick diagnostics of current settings as they are shown below in an ldapsearch-cmd in this environment (see below). Thanks in advance for any help you may provide. #Here is the global password policy: ldapsearch -x -ZZ -LLL -h ldap-dr01.my-domain.com -D 'cn=directory manager' -b 'cn=config' -s base 'objectClass=*' '*' passwordHistory | grep password passwordInHistory: 6 passwordUnlock: on passwordGraceLimit: 0 passwordMustChange: off passwordWarning: 86400 passwordLockout: off passwordMinLength: 8 passwordMinDigits: 0 passwordMinAlphas: 0 passwordMinUppers: 0 passwordMinLowers: 0 passwordMinSpecials: 0 passwordMin8bit: 0 passwordMaxRepeats: 0 passwordMinCategories: 3 passwordMinTokenLength: 3 passwordMaxFailure: 3 passwordHistory: off passwordMaxAge: 864 passwordResetFailureCount: 600 passwordisglobalpolicy: on passwordlegacypolicy: on passwordtrackupdatetime: off passwordChange: on passwordExp: off passwordLockoutDuration: 3600 passwordCheckSyntax: off passwordMinAge: 0 passwordStorageScheme: SSHA #Here is my newly created policy ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b cn=nsPwPolicyContainer,ou=people,dc=my-domain,dc=com ((objectClass=ldapsubentry)(objectClass=passwordPolicy)(cn=TestNewPolicy)) dn: cn=TestNewPolicy,cn=nsPwPolicyContainer,ou=people,dc=my-domain,dc=com cn: TestNewPolicy objectClass: top objectClass: ldapsubentry objectClass: passwordPolicy passwordMustChange: on passwordChange: on passwordMinAge: 0 passwordKeepHistory: on passwordInHistory: 12 passwordExp: on passwordMaxAge: 86400 passwordWarning: 1 passwordGraceLimit: 5 passwordLockout: on passwordMaxFailure: 4 passwordResetDuration: 600 passwordLockoutDuration: 3600 passwordCheckSyntax: on passwordMinLength: 6 passwordMinAlphas: 1 passwordMinCategories: 1 passwordMinDigits: 1 passwordMinLowers: 1 passwordMinUppers: 1 passwordMinSpecials: 0 passwordMin8bit: 0 passwordMaxRepeats: 0 passwordMinTokenLength: 3 passwordStorageScheme: SSHA #Here is my newly created user with the test policy applied to him ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com cn=test-user-account dn: uid=test-user-account,ou=people,dc=my-domain,dc=com description: accountHasItsOwnPwdPolicy objectClass: posixAccount objectClass: shadowAccount objectClass: account objectClass: top uid: test-user-account cn: test-user-account uidNumber: 2853 gidNumber: 2600 gecos: User LDAP Test homeDirectory: /home/test-user-account loginShell: /bin/tcsh ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com cn=test-user-account pwdPolicySubentry dn: uid=test-user-account,ou=people,dc=my-domain,dc=com pwdPolicySubentry: cn=TestNewPolicy,cn=nsPwPolicyContainer,ou=people,dc=my-domain,dc=com ldapsearch -x -ZZ -LLL -h my-ldapHost01.my-domain.com -b dc=my-domain,dc=com cn=test-user-account passwordExpirationtime dn: uid=test-user-account,ou=people,dc=my-domain,dc=com passwordExpirationtime: 20131126160316Z Here is my Solaris-based PAM file: /etc/pam.conf #ident @(#)pam.conf 1.3107/12/07 SMI # # Copyright 2007 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # PAM configuration # # Unless explicitly defined, all services use the modules # defined in the other section. # # Modules are defined with relative pathnames, i.e., they are # relative to /usr/lib/security/. Absolute path names, as # present in this file in previous releases are still acceptable. # # Authentication management # # login service (explicit because of pam_dial_auth) # login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth required pam_dial_auth.so.1 login auth binding
