Code: Select all
# 3x Centos7 3.10.0-693.5.2.el7.x86_64 servers
* nss-pam-ldapd-0.8.13-8.el7.x86_64
* openldap-clients-2.4.44-5.el7.x86_64
* openldap-devel-2.4.44-5.el7.x86_64
* openldap-2.4.44-5.el7.x86_64
* openldap-servers-2.4.44-5.el7.x86_64
# All have multi-master replication for user account management
# With ldap ppolicy:
# ppolicy, policies, datacom.net
dn: cn=ppolicy,ou=policies,dc=datacom,dc=net
cn: ppolicy
objectClass: top
objectClass: device
objectClass: pwdPolicyChecker
objectClass: pwdPolicy
pwdAttribute: userPassword
...
...
pwdMaxFailure: 6
$ authconfig --test | grep server
LDAP server = "ldap://localhost/,ldap://[2607:2400:901:36::12]/,ldap://[2a03:c9c0:101:36::12]/"
Issue:
When i attempt to authenticate to the linux box and i fail, the pwdFailureTime attribute get's added 3 times! (im assuming 1 for every master ldap server). If you fail 1 more time, which will equal to 6 fails according to ldap, then the ppolicy will lock your account . *(pwdAccountLockedTime: 20171114182426Z)
Scenario:
Code: Select all
ssh <internal-IP>
Password: <type-wrong-pass>
# Three pwdAttribute(s) gets added to my user profile
Password: <second-wrong-pass>
# three more pwdAttribute(s) get added
# openldap applies the ppolicy and my account gets locked
$ slapcat -a "uid=dvmacias
pwdFailureTime: 20171114182419.646689Z
pwdFailureTime: 20171114182419.952958Z
pwdFailureTime: 20171114182420.426413Z
pwdFailureTime: 20171114182425.474426Z
pwdFailureTime: 20171114182425.750335Z
pwdFailureTime: 20171114182426.237932Z
pwdAccountLockedTime: 20171114182426Z
I had removed openldap and related pkgs and reinstalled but no change...
Any guess as to where to look??
Any input is appreciated.
Thanks,
-dave