From matsl at irf.se Fri Dec 8 07:39:32 2017 From: matsl at irf.se (Mats Luspa) Date: Fri, 08 Dec 2017 08:39:32 +0100 Subject: [Pkg-openldap-devel] Bug#883838: slapd: Overlay ppolicy: When pwdFailureCountInterval (!=0) is reached the password failures are not purged. Message-ID: <20171208073932.10934.91201.reportbug@mailserver.irf.se> Package: slapd Version: 2.4.40+dfsg-1+deb8u3 Severity: normal Tags: patch Dear Maintainer, in the overlay ppolicy you can use pwdFailureCountInterval attribute. The documentation says "pwdFailureCountInterval attribute holds the number of seconds after which the password failures are purged from the failure counter, even though no successful authentication occurred. If pwdFailureCountInterval attribute is not present, or if its value is 0, the failure counter is only reset by a successful authentication." But that doesn't work. I've checked the code for overlay ppolicy and found this regarding pwdFailureCountInterval: if ((a = attr_find( e->e_attrs, ad_pwdFailureTime )) != NULL) { for(i=0; a->a_nvals[i].bv_val; i++) { /* * If the interval is 0, then failures * stay on the record until explicitly * reset by successful authentication. */ if (ppb->pp.pwdFailureCountInterval == 0) { fc++; } else if (now <= parse_time(a->a_nvals[i].bv_val) + ppb->pp.pwdFailureCountInterval) { fc++; } /* * We only count those failures * which are not due to expire. */ } } There you can see that when pwdFailureCountInterval is reached failure counter is only stopped and not resetted. The pwdFailureTime should also be purged. The password failure counter is only resetted when an successful authentication is made. I suggest the following changes to the code: if ((a = attr_find( e->e_attrs, ad_pwdFailureTime )) != NULL) { for(i=0; a->a_nvals[i].bv_val; i++) { /* * If the interval is 0, then failures * stay on the record until explicitly * reset by successful authentication * or when pwdFailureCountInterval has been reached. */ if (ppb->pp.pwdFailureCountInterval == 0) { fc++; } else if (now <= parse_time(a->a_nvals[i].bv_val) + ppb->pp.pwdFailureCountInterval) { fc++; } /* * We only count those failures * which are not due to expire. */ else { /* pwdFailureCountInterval reached: Purge pwdFailureTimes and reset password failure counter */ if ( attr_find( e->e_attrs, ad_pwdFailureTime )) { m = ch_calloc( sizeof(Modifications), 1 ); m->sml_op = LDAP_MOD_DELETE; m->sml_flags = 0; m->sml_type = ad_pwdFailureTime->ad_cname; m->sml_desc = ad_pwdFailureTime; m->sml_next = mod; mod = m; } fc = 0; } } } /Regards Mats -- System Information: Debian Release: 8.9 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: i386 (i686) Kernel: Linux 3.16.0-4-686-pae (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=locale: Cannot set LC_ALL to default locale: No such file or directory UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages slapd depends on: ii adduser 3.113+nmu3 ii coreutils 8.23-4 ii debconf [debconf-2.0] 1.5.56+deb8u1 ii libc6 2.19-18+deb8u10 ii libdb5.3 5.3.28-9 ii libgnutls-deb0-28 3.3.8-6+deb8u7 ii libldap-2.4-2 2.4.40+dfsg-1+deb8u3 ii libltdl7 2.4.2-1.11+b1 ii libodbc1 2.3.1-3 ii libperl5.20 5.20.2-3+deb8u9 ii libsasl2-2 2.1.26.dfsg1-13+deb8u1 ii libslp1 1.2.1-10+deb8u1 ii libwrap0 7.6.q-25 ii lsb-base 4.1+Debian13+nmu1 ii multiarch-support 2.19-18+deb8u10 ii perl [libmime-base64-perl] 5.20.2-3+deb8u9 ii psmisc 22.21-2 Versions of packages slapd recommends: ii libsasl2-modules 2.1.26.dfsg1-13+deb8u1 Versions of packages slapd suggests: ii ldap-utils 2.4.40+dfsg-1+deb8u3 pn libsasl2-modules-gssapi-mit | libsasl2-modules-gssapi -- Configuration Files: /etc/default/slapd changed: SLAPD_CONF= SLAPD_USER="openldap" SLAPD_GROUP="openldap" SLAPD_PIDFILE= SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///" SLAPD_SENTINEL_FILE=/etc/ldap/noslapd SLAPD_OPTIONS="" /etc/ldap/schema/ppolicy.ldif changed: dn: cn=ppolicy,cn=schema,cn=config objectClass: olcSchemaConfig cn: ppolicy olcAttributeTypes: {0}( 1.3.6.1.4.1.42.2.27.8.1.1 NAME 'pwdAttribute' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) olcAttributeTypes: {1}( 1.3.6.1.4.1.42.2.27.8.1.2 NAME 'pwdMinAge' EQUALITY in tegerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {2}( 1.3.6.1.4.1.42.2.27.8.1.3 NAME 'pwdMaxAge' EQUALITY in tegerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {3}( 1.3.6.1.4.1.42.2.27.8.1.4 NAME 'pwdInHistory' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1 .27 SINGLE-VALUE ) olcAttributeTypes: {4}( 1.3.6.1.4.1.42.2.27.8.1.5 NAME 'pwdCheckQuality' EQUAL ITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.12 1.1.27 SINGLE-VALUE ) olcAttributeTypes: {5}( 1.3.6.1.4.1.42.2.27.8.1.6 NAME 'pwdMinLength' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121. 1.27 SINGLE-VALUE ) olcAttributeTypes: {6}( 1.3.6.1.4.1.42.2.27.8.1.7 NAME 'pwdExpireWarning' EQUA LITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115. 121.1.27 SINGLE-VALUE ) olcAttributeTypes: {7}( 1.3.6.1.4.1.42.2.27.8.1.8 NAME 'pwdGraceAuthNLimit' EQ UALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.11 5.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {8}( 1.3.6.1.4.1.42.2.27.8.1.9 NAME 'pwdLockout' EQUALITY b ooleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: {9}( 1.3.6.1.4.1.42.2.27.8.1.10 NAME 'pwdLockoutDuration' E QUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.1 15.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {10}( 1.3.6.1.4.1.42.2.27.8.1.11 NAME 'pwdMaxFailure' EQUAL ITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.1 21.1.27 SINGLE-VALUE ) olcAttributeTypes: {11}( 1.3.6.1.4.1.42.2.27.8.1.12 NAME 'pwdFailureCountInter val' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1. 1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {13}( 1.3.6.1.4.1.42.2.27.8.1.14 NAME 'pwdAllowUserChange' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: {14}( 1.3.6.1.4.1.42.2.27.8.1.15 NAME 'pwdSafeModify' EQUAL ITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: {15}( 1.3.6.1.4.1.4754.1.99.1 NAME 'pwdCheckModule' DESC 'L oadable module that instantiates "check_password() function' EQUALITY caseExa ctIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) olcObjectClasses: {0}( 1.3.6.1.4.1.4754.2.99.1 NAME 'pwdPolicyChecker' SUP top AUXILIARY MAY pwdCheckModule ) olcObjectClasses: {1}( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP top AUXI LIARY MUST pwdAttribute MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheck Quality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) ) -- debconf information: perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LANGUAGE = "en_US:en", LC_ALL = (unset), LC_TIME = "sv_SE.UTF-8", LC_MONETARY = "sv_SE.UTF-8", LC_ADDRESS = "sv_SE.UTF-8", LC_TELEPHONE = "sv_SE.UTF-8", LC_NAME = "sv_SE.UTF-8", LC_MEASUREMENT = "sv_SE.UTF-8", LC_IDENTIFICATION = "sv_SE.UTF-8", LC_NUMERIC = "sv_SE.UTF-8", LC_PAPER = "sv_SE.UTF-8", LANG = "en_US.UTF-8" are supported and installed on your system. perl: warning: Falling back to a fallback locale ("en_US.UTF-8"). locale: Cannot set LC_ALL to default locale: No such file or directory * slapd/password2: (password omitted) slapd/internal/adminpw: (password omitted) * slapd/password1: (password omitted) slapd/internal/generated_adminpw: (password omitted) slapd/dump_database_destdir: /var/backups/slapd-VERSION slapd/upgrade_slapcat_failure: * slapd/domain: irf.se * shared/organization: irf * slapd/no_configuration: false * slapd/unsafe_selfwrite_acl: slapd/dump_database: when needed slapd/password_mismatch: * slapd/backend: BDB * slapd/purge_database: true * slapd/move_old_database: true slapd/invalid_config: true * slapd/allow_ldap_v2: true From ryan at nardis.ca Tue Dec 26 20:55:45 2017 From: ryan at nardis.ca (Ryan Tandy) Date: Tue, 26 Dec 2017 12:55:45 -0800 Subject: [Pkg-openldap-devel] pkg-openldap and alioth->salsa In-Reply-To: <20171225104537.GG6919@smithers.snow-crash.org> References: <20171225104537.GG6919@smithers.snow-crash.org> Message-ID: <20171226205545.knclfgpgqxmjjcfb@kiwi.nardis.ca> I just created "openldap-team" on salsa. https://salsa.debian.org/openldap-team I intend to migrate the git repository after the service leaves beta (expected ~1 month from now per d-d-a). I'm not sure what the exact timeline is for Alioth mailing lists to go away but I currently plan to deal with that by changing the Maintainer address to openldap at packages.debian.org when needed. From mueddib at openldap.org Tue Dec 26 21:24:02 2017 From: mueddib at openldap.org (Ozgur) Date: Wed, 27 Dec 2017 00:24:02 +0300 Subject: [Pkg-openldap-devel] pkg-openldap and alioth->salsa In-Reply-To: <20171226205545.knclfgpgqxmjjcfb@kiwi.nardis.ca> References: <20171225104537.GG6919@smithers.snow-crash.org> <20171226205545.knclfgpgqxmjjcfb@kiwi.nardis.ca> Message-ID: <1370811514323442@web57g.yandex.ru> 26.12.2017, 23:56, "Ryan Tandy" : > I just created "openldap-team" on salsa. > > https://salsa.debian.org/openldap-team > > I intend to migrate the git repository after the service leaves beta > (expected ~1 month from now per d-d-a). > > I'm not sure what the exact timeline is for Alioth mailing lists to go > away but I currently plan to deal with that by changing the Maintainer > address to openldap at packages.debian.org when needed. Hello Ryan, How can I help you? Please tell me what to do help and I can help you. Regards Ozgur