Re: ldapcontext.reconnect and count of wrong passwords

Thu, 12 May 2016 03:48:28 -0700 

On 12.05.2016 00:45, Emmanuel Lécharny wrote:
> Le 11/05/16 23:05, Jörg Weule a écrit :
>> Hallo,
>>
>> my server with M21 is locking the account if I use a wrong password
>> several times with ldapsearch. Unfortunately the counter seems not to be
>> increased when the ldapcontext is binding with reconnect(null).
>>
>> Apache James for example makes first a lookup for the DN and then uses a
>> ldapcontext.reconnect() with the users credentials at the environment. A
>> wrong user password is checked several times without locking the account
>> as expected. Is there any known bug or solution ?
> 
> IMO, there is no bind done when doing a JNDI reconnect : the connection
> is simply reused and never closed. In this case, the counter will not be
> incremented.
> 
> A quick sample would be useful to check that on a server.
> 
> 
> 
To verify the password of a user, we find at ReadOnlyLDAPUser.java the
following lines. Do you think, James will never lock the account ?
Shall I ask the Apache James project on that issue?

Thanks for your quick answer.

Regards

Jörg

-------------------------- ReadOnlyLDAPUser.java --------------------
/****************************************************************
 * Licensed to the Apache Software Foundation (ASF) under one   *
 * or more contributor license agreements.  See the NOTICE file *
[...]
    /**
     * Verifies that the password supplied is actually the user's
password, by
     * attempting to rebind to a copy of the LDAP server context using
the user's
     * username and the supplied password.
     *
     * @param password
     *            The password to validate.
     * @return <code>True</code> if a connection can successfully be
established
     *         to the LDAP host using the user's id and the supplied
password,
     *         and <code>False</code> otherwise.
     */
    public boolean verifyPassword(String password) {
        boolean result = false;
        LdapContext ldapContext = null;
        try {
            ldapContext = _ldapContext.newInstance(null);
            ldapContext.addToEnvironment(Context.SECURITY_AUTHENTICATION,
                    LdapConstants.SECURITY_AUTHENTICATION_SIMPLE);
            ldapContext.addToEnvironment(Context.SECURITY_PRINCIPAL,
_userDN);
            ldapContext.addToEnvironment(Context.SECURITY_CREDENTIALS,
password);
            ldapContext.reconnect(null);
            result = true;
        } catch (NamingException exception) {
            // no-op
        } finally {
            if (null != ldapContext) {
                try {
                    ldapContext.close();
                } catch (NamingException ex) {
                    // no-op
                }
            }
        }
        return result;
    }
}
[...]
-------------------------- ReadOnlyLDAPUser.java --------------------

Reply via email to