https://bugs.openldap.org/show_bug.cgi?id=9302
Issue ID: 9302
Summary: ppolicy pwdFailureTime race condition leaves acccount
unlocked, violating pwdLockout policy
Product: OpenLDAP
Version: 2.4.50
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: overlays
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Multiple concurrent ldap binds with invalid passwords against a user account
sometimes don't trigger account lockout, even though the number of failed
attempts exceeds the configured pwdLockout policy of the ppolicy overlay.
How to reproduce:
1. Configure ppolicy overlay with pwdLockout: TRUE
2. set pwdMaxFailure to some value, e.g. 5
3. Create a test user account and start just enough (or more) parallel
ldapsearch processes
to make the account get locked, e.g. like this in bash/sh (note the
backgrounding):
for i in $(seq 6); do
ldapsearch -x -D "uid=testuser1,$ldap_base" -w invalid >/dev/null 2>&1 &
done
4. Check relevant ppolicy attributes, like:
ldapsearch -x -H LDAPI:// -b "uid=testuser1,$ldap_base" + \
grep -E '^(pwdFailureTime|pwdAccountLockedTime):'
This often shows no pwdAccountLockedTime but enough (or more) pwdFailureTime
values to meet the lockout policy.
--
You are receiving this mail because:
You are on the CC list for the issue.
