Yes, I can, after 8 consecutive failed authentications, the account can still successfully query the DS with the correct password.
% ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w goodPwrd "cn=test-user-account" dn: uid=test-user-account,ou=people,dc=my-domain,dc=com description: accountHasItsOwnPwdPolicy objectClass: posixAccount objectClass: shadowAccount objectClass: account objectClass: top uid: test-user-account cn: test-user-account uidNumber: 2853 gidNumber: 2600 gecos: LDAP Test homeDirectory: /home/test-user-account loginShell: /bin/tcsh
On 11/25/2013 5:49 PM, 389-users-request@lists.fedoraproject.org wrote:
From: Rich Megginson rmeggins@redhat.com To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Cc: JLPicard jlpicard15@hotmail.com Subject: Re: [389-users] Password Failure Lockout doesn't seem to work Message-ID: 5293D3FC.2090907@redhat.com Content-Type: text/plain; charset="utf-8"; Format="flowed" On 11/25/2013 03:33 PM, JLPicard wrote:
Hi, I am testing out 389_ds_base, version =1.2.11.15,REV=2013.01.31 running on mixed Solaris 10 servers (SPARC and X86) sourced from http://www.opencsw.org/packages/CSW389-ds-base in multi-master mode with 4 servers that is primarily used for authentication and user/group/netgroup management.
Most of the Password policy components seem to work as they should, but password failure account lockout doesn't appear to engage after X-failed attempts. After creating a new account, testing a successful login, after 5+ failed logins with bad passwords, I can still login after I would expect to be locked out. I even created a new password policy and applied it to this user and it still doesn't lock him out after 5+ failed logins with bad passwords.
Can you reproduce the issue with ldapsearch?
ldapsearch ... -D "uid=myuser,...." -w "badpassword" ... repeat 5 times
Hi,
do you have anonymous bind enabled? Maybe this is why it is working?
Just guess.
Regards.
On 11/26/13 14:13, JLPicard wrote:
Yes, I can, after 8 consecutive failed authentications, the account can still successfully query the DS with the correct password.
% ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w goodPwrd "cn=test-user-account" dn: uid=test-user-account,ou=people,dc=my-domain,dc=com description: accountHasItsOwnPwdPolicy objectClass: posixAccount objectClass: shadowAccount objectClass: account objectClass: top uid: test-user-account cn: test-user-account uidNumber: 2853 gidNumber: 2600 gecos: LDAP Test homeDirectory: /home/test-user-account loginShell: /bin/tcsh
On 11/25/2013 5:49 PM, 389-users-request@lists.fedoraproject.org wrote:
From: Rich Megginson rmeggins@redhat.com To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Cc: JLPicard jlpicard15@hotmail.com Subject: Re: [389-users] Password Failure Lockout doesn't seem to work Message-ID: 5293D3FC.2090907@redhat.com Content-Type: text/plain; charset="utf-8"; Format="flowed" On 11/25/2013 03:33 PM, JLPicard wrote:
Hi, I am testing out 389_ds_base, version =1.2.11.15,REV=2013.01.31 running on mixed Solaris 10 servers (SPARC and X86) sourced from http://www.opencsw.org/packages/CSW389-ds-base in multi-master mode with 4 servers that is primarily used for authentication and user/group/netgroup management.
Most of the Password policy components seem to work as they should, but password failure account lockout doesn't appear to engage after X-failed attempts. After creating a new account, testing a successful login, after 5+ failed logins with bad passwords, I can still login after I would expect to be locked out. I even created a new password policy and applied it to this user and it still doesn't lock him out after 5+ failed logins with bad passwords.
Can you reproduce the issue with ldapsearch?
ldapsearch ... -D "uid=myuser,...." -w "badpassword" ... repeat 5 times
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Hi,
did you set: nsslapd-pwpolicy-local: on
in cn=config ?
Ludwig
On 11/26/2013 02:13 PM, JLPicard wrote:
Yes, I can, after 8 consecutive failed authentications, the account can still successfully query the DS with the correct password.
% ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w goodPwrd "cn=test-user-account" dn: uid=test-user-account,ou=people,dc=my-domain,dc=com description: accountHasItsOwnPwdPolicy objectClass: posixAccount objectClass: shadowAccount objectClass: account objectClass: top uid: test-user-account cn: test-user-account uidNumber: 2853 gidNumber: 2600 gecos: LDAP Test homeDirectory: /home/test-user-account loginShell: /bin/tcsh
On 11/25/2013 5:49 PM, 389-users-request@lists.fedoraproject.org wrote:
From: Rich Megginson rmeggins@redhat.com To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Cc: JLPicard jlpicard15@hotmail.com Subject: Re: [389-users] Password Failure Lockout doesn't seem to work Message-ID: 5293D3FC.2090907@redhat.com Content-Type: text/plain; charset="utf-8"; Format="flowed" On 11/25/2013 03:33 PM, JLPicard wrote:
Hi, I am testing out 389_ds_base, version =1.2.11.15,REV=2013.01.31 running on mixed Solaris 10 servers (SPARC and X86) sourced from http://www.opencsw.org/packages/CSW389-ds-base in multi-master mode with 4 servers that is primarily used for authentication and user/group/netgroup management.
Most of the Password policy components seem to work as they should, but password failure account lockout doesn't appear to engage after X-failed attempts. After creating a new account, testing a successful login, after 5+ failed logins with bad passwords, I can still login after I would expect to be locked out. I even created a new password policy and applied it to this user and it still doesn't lock him out after 5+ failed logins with bad passwords.
Can you reproduce the issue with ldapsearch?
ldapsearch ... -D "uid=myuser,...." -w "badpassword" ... repeat 5 times
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Yes,
It shows up in the "dse.ldif" file: root@my-ldapHost01% grep nsslapd-pwpolicy-local dse.ldif nsslapd-pwpolicy-local: on
It also shows up on ldapsearch:
root@my-ldapHost01% ldapsearch -x -ZZ -LLL -W -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D 'cn=directory manager' -b 'cn=config' -s base 'objectClass=*' 'nsslapd-pwpolicy-local' Enter LDAP Password: dn: cn=config nsslapd-pwpolicy-local: on
On 11/26/2013 9:00 AM, Ludwig Krispenz wrote:
Hi,
did you set: nsslapd-pwpolicy-local: on
in cn=config ?
Ludwig
On 11/26/2013 02:13 PM, JLPicard wrote:
Yes, I can, after 8 consecutive failed authentications, the account can still successfully query the DS with the correct password.
% ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w goodPwrd "cn=test-user-account" dn: uid=test-user-account,ou=people,dc=my-domain,dc=com description: accountHasItsOwnPwdPolicy objectClass: posixAccount objectClass: shadowAccount objectClass: account objectClass: top uid: test-user-account cn: test-user-account uidNumber: 2853 gidNumber: 2600 gecos: LDAP Test homeDirectory: /home/test-user-account loginShell: /bin/tcsh
On 11/25/2013 5:49 PM, 389-users-request@lists.fedoraproject.org wrote:
From: Rich Megginson rmeggins@redhat.com To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Cc: JLPicard jlpicard15@hotmail.com Subject: Re: [389-users] Password Failure Lockout doesn't seem to work Message-ID: 5293D3FC.2090907@redhat.com Content-Type: text/plain; charset="utf-8"; Format="flowed" On 11/25/2013 03:33 PM, JLPicard wrote:
Hi, I am testing out 389_ds_base, version =1.2.11.15,REV=2013.01.31 running on mixed Solaris 10 servers (SPARC and X86) sourced from http://www.opencsw.org/packages/CSW389-ds-base in multi-master mode with 4 servers that is primarily used for authentication and user/group/netgroup management.
Most of the Password policy components seem to work as they should, but password failure account lockout doesn't appear to engage after X-failed attempts. After creating a new account, testing a
successful
login, after 5+ failed logins with bad passwords, I can still login after I would expect to be locked out. I even created a new password policy and applied it to this user and it still doesn't lock him out after 5+ failed logins with bad passwords.
Can you reproduce the issue with ldapsearch?
ldapsearch ... -D "uid=myuser,...." -w "badpassword" ... repeat 5 times
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
just to think outside of what you have already mentioned:
client nscd service running?
User authconfig to show if you have caching and local authorization settings: authconfig-tui
change things on a test client and then tail the /var/log/slapd/<servername>/access (and other) logs while grepping for the user:
tail -f /var/log/slapd/dirsrv1.blah.blah/access | grep bobby
or even
tail -f /var/log/slapd/dirsrv1.blah.blah/* | grep bobby
On Wed, Dec 11, 2013 at 1:35 PM, JLPicard jlpicard15@hotmail.com wrote:
Yes,
It shows up in the "dse.ldif" file: root@my-ldapHost01% grep nsslapd-pwpolicy-local dse.ldif nsslapd-pwpolicy-local: on
It also shows up on ldapsearch:
root@my-ldapHost01% ldapsearch -x -ZZ -LLL -W -h " my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D 'cn=directory manager' -b 'cn=config' -s base 'objectClass=*' 'nsslapd-pwpolicy-local' Enter LDAP Password: dn: cn=config nsslapd-pwpolicy-local: on
On 11/26/2013 9:00 AM, Ludwig Krispenz wrote:
Hi,
did you set: nsslapd-pwpolicy-local: on
in cn=config ?
Ludwig
On 11/26/2013 02:13 PM, JLPicard wrote:
Yes, I can, after 8 consecutive failed authentications, the account can still successfully query the DS with the correct password.
% ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w goodPwrd "cn=test-user-account" dn: uid=test-user-account,ou=people,dc=my-domain,dc=com description: accountHasItsOwnPwdPolicy objectClass: posixAccount objectClass: shadowAccount objectClass: account objectClass: top uid: test-user-account cn: test-user-account uidNumber: 2853 gidNumber: 2600 gecos: LDAP Test homeDirectory: /home/test-user-account loginShell: /bin/tcsh
On 11/25/2013 5:49 PM, 389-users-request@lists.fedoraproject.org wrote:
From: Rich Megginson rmeggins@redhat.com To: "General discussion list for the 389 Directory server project." <389-users@lists. fedoraproject.org> Cc: JLPicard jlpicard15@hotmail.com Subject: Re: [389-users] Password Failure Lockout doesn't seem to work Message-ID: < 5293D3FC.2090907@redhat.com> Content-Type: text/plain; charset="utf-8"; Format="flowed" On 11/25/2013 03:33 PM, JLPicard wrote:
Hi, I am testing out 389_ds_base, version =1.2.11.15,REV=2013.01.31 running on mixed Solaris 10 servers (SPARC and X86) sourced from http://www.opencsw.org/packages/CSW389-ds-base in multi-master mode with 4 servers that is primarily used for authentication and user/group/netgroup management.
Most of the Password policy components seem to work as they should, but password failure account lockout doesn't appear to engage after X-failed attempts. After creating a new account, testing a successful login, after 5+ failed logins with bad passwords, I can still login after I would expect to be locked out. I even created a new password policy and applied it to this user and it still doesn't lock him out after 5+ failed logins with bad passwords.
Can you reproduce the issue with ldapsearch?
ldapsearch ... -D "uid=myuser,...." -w "badpassword" ... repeat 5 times
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
These issues are happening on a Solaris Sparc server, most of our infrastructure is Solaris Sparc, with some Solaris X86 servers.
The Solaris equivalent of NSCD called "svc:/system/name-service-cache:default" is running.
I am not familiar with authconfig, I can look for the Solaris equivalent to confirm, but I do know that the name-service-cache does cache some account information, but regularly refreshes it. I can also confirm the accounts having the issue are not local accounts.
On 12/11/2013 1:41 PM, Justin Edmands wrote:
just to think outside of what you have already mentioned:
client nscd service running?
User authconfig to show if you have caching and local authorization settings: authconfig-tui
change things on a test client and then tail the /var/log/slapd/<servername>/access (and other) logs while grepping for the user:
tail -f /var/log/slapd/dirsrv1.blah.blah/access | grep bobby
or even
tail -f /var/log/slapd/dirsrv1.blah.blah/* | grep bobby
On Wed, Dec 11, 2013 at 1:35 PM, JLPicard <jlpicard15@hotmail.com mailto:jlpicard15@hotmail.com> wrote:
Yes, It shows up in the "dse.ldif" file: root@my-ldapHost01% grep nsslapd-pwpolicy-local dse.ldif nsslapd-pwpolicy-local: on It also shows up on ldapsearch: root@my-ldapHost01% ldapsearch -x -ZZ -LLL -W -h "my-ldapHost01.my-domain.com <http://my-ldapHost01.my-domain.com>" -b "dc=my-domain,dc=com" -D 'cn=directory manager' -b 'cn=config' -s base 'objectClass=*' 'nsslapd-pwpolicy-local' Enter LDAP Password: dn: cn=config nsslapd-pwpolicy-local: on On 11/26/2013 9:00 AM, Ludwig Krispenz wrote: Hi, did you set: nsslapd-pwpolicy-local: on in cn=config ? Ludwig On 11/26/2013 02:13 PM, JLPicard wrote: Yes, I can, after 8 consecutive failed authentications, the account can still successfully query the DS with the correct password. % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com <http://my-ldapHost01.my-domain.com>" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com <http://my-ldapHost01.my-domain.com>" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com <http://my-ldapHost01.my-domain.com>" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com <http://my-ldapHost01.my-domain.com>" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com <http://my-ldapHost01.my-domain.com>" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com <http://my-ldapHost01.my-domain.com>" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com <http://my-ldapHost01.my-domain.com>" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com <http://my-ldapHost01.my-domain.com>" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w badPword "cn=test-user-account" ldap_bind: Invalid credentials (49) % ldapsearch -x -ZZ -LLL -h "my-ldapHost01.my-domain.com <http://my-ldapHost01.my-domain.com>" -b "dc=my-domain,dc=com" -D "uid=test-user-account,ou=people,dc=my-domain,dc=com" -w goodPwrd "cn=test-user-account" dn: uid=test-user-account,ou=people,dc=my-domain,dc=com description: accountHasItsOwnPwdPolicy objectClass: posixAccount objectClass: shadowAccount objectClass: account objectClass: top uid: test-user-account cn: test-user-account uidNumber: 2853 gidNumber: 2600 gecos: LDAP Test homeDirectory: /home/test-user-account loginShell: /bin/tcsh On 11/25/2013 5:49 PM, 389-users-request@lists.fedoraproject.org <mailto:389-users-request@lists.fedoraproject.org> wrote: From: Rich Megginson <rmeggins@redhat.com <mailto:rmeggins@redhat.com>> To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org>> Cc: JLPicard <jlpicard15@hotmail.com <mailto:jlpicard15@hotmail.com>> Subject: Re: [389-users] Password Failure Lockout doesn't seem to work Message-ID: <5293D3FC.2090907@redhat.com <mailto:5293D3FC.2090907@redhat.com>> Content-Type: text/plain; charset="utf-8"; Format="flowed" On 11/25/2013 03:33 PM, JLPicard wrote: >Hi, I am testing out 389_ds_base, version =1.2.11.15,REV=2013.01.31 >running on mixed Solaris 10 servers (SPARC and X86) sourced from >http://www.opencsw.org/packages/CSW389-ds-base >in multi-master mode with 4 servers that is primarily used for >authentication and user/group/netgroup management. > >Most of the Password policy components seem to work as they should, >but password failure account lockout doesn't appear to engage after >X-failed attempts. After creating a new account, testing a successful >login, after 5+ failed logins with bad passwords, I can still login >after I would expect to be locked out. I even created a new password >policy and applied it to this user and it still doesn't lock him out >after 5+ failed logins with bad passwords. Can you reproduce the issue with ldapsearch? ldapsearch ... -D "uid=myuser,...." -w "badpassword" ... repeat 5 times -- 389 users mailing list 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
389-users@lists.fedoraproject.org