Authconfig openldap authenticating multiple times

Issues related to applications and software problems
davama
Posts: 8
Joined: 2015/03/26 20:52:43

Authconfig openldap authenticating multiple times

Postby davama » 2017/11/14 19:08:53

Ok, so environment background:

Code: Select all

# 3x Centos7 3.10.0-693.5.2.el7.x86_64 servers
* nss-pam-ldapd-0.8.13-8.el7.x86_64
* openldap-clients-2.4.44-5.el7.x86_64
* openldap-devel-2.4.44-5.el7.x86_64
* openldap-2.4.44-5.el7.x86_64
* openldap-servers-2.4.44-5.el7.x86_64
# All have multi-master replication for user account management

# With ldap ppolicy:
# ppolicy, policies, datacom.net
dn: cn=ppolicy,ou=policies,dc=datacom,dc=net
cn: ppolicy
objectClass: top
objectClass: device
objectClass: pwdPolicyChecker
objectClass: pwdPolicy
pwdAttribute: userPassword
...
...
pwdMaxFailure: 6

$ authconfig --test | grep server
 LDAP server = "ldap://localhost/,ldap://[2607:2400:901:36::12]/,ldap://[2a03:c9c0:101:36::12]/"



Issue:

When i attempt to authenticate to the linux box and i fail, the pwdFailureTime attribute get's added 3 times! (im assuming 1 for every master ldap server). If you fail 1 more time, which will equal to 6 fails according to ldap, then the ppolicy will lock your account . *(pwdAccountLockedTime: 20171114182426Z)

Scenario:

Code: Select all

ssh <internal-IP>
Password: <type-wrong-pass>

# Three pwdAttribute(s) gets added to my user profile

Password: <second-wrong-pass>

# three more pwdAttribute(s) get added
# openldap applies the ppolicy and my account gets locked
$ slapcat -a "uid=dvmacias
pwdFailureTime: 20171114182419.646689Z
pwdFailureTime: 20171114182419.952958Z
pwdFailureTime: 20171114182420.426413Z
pwdFailureTime: 20171114182425.474426Z
pwdFailureTime: 20171114182425.750335Z
pwdFailureTime: 20171114182426.237932Z
pwdAccountLockedTime: 20171114182426Z


Now i know that's not how it should behave since i configured a new box with necessary packages for linux to authenticate and on every failed i get 1 pwdFailure attribute.
I had removed openldap and related pkgs and reinstalled but no change...
Any guess as to where to look??

Any input is appreciated.

Thanks,
-dave

davama
Posts: 8
Joined: 2015/03/26 20:52:43

Re: Authconfig openldap authenticating multiple times

Postby davama » 2017/11/17 20:56:24

No replies :_(
That stinks


But just update:

I've been playing with it a bit trying to figure out who is the culprit...

So on one of the offending servers i pointed local linux auth to a "good" ldap server (my development box) that does not return 3 pwdFailureTime attributes and it works fine:
*One incorrect password from user equals one pwdFailureTime attribute for that user.*

So i started move the order of the nslcd uris on the same offending ldap server:

Code: Select all

authconfig --update --ldapserver="goodldap-server,ldapmaster1,ldapmaster2"
# this produced only one pwdFailureTime attribute ssh per failure
authconfig --update --ldapserver="ldapmaster1,goodldap-server,ldapmaster2"
# this produced two attributes per ssh failure
authconfig --update --ldapserver="ldapmaster1,ldapmaster2,goddldap-server"
# as expected, it produced 3 pwdFailureTime attributes per ssh password attempt


So what does this mean?
My guess is that for some reason the failure response from the openldap servers is not "authoritative". So, even if openldap says the password is wrong it will go to the other openldap servers to check if the password is wrong, which will return that it is, which gives you another 'pwdFailureTime' attribute and so forth. Hope that makes sense...

Still hoping for my obi-wan to respond :)

Thanks!