Bug 52902 - Password lockout in Samba/AD doesn't trigger ppolicy lockout for OpenLDAP simple bind
Password lockout in Samba/AD doesn't trigger ppolicy lockout for OpenLDAP sim...
Status: NEW
Product: UCS
Classification: Unclassified
Component: S4 Connector
UCS 5.0
Other Linux
: P5 normal (vote)
: ---
Assigned To: Samba maintainers
Samba maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-03-14 20:23 CET by Arvid Requate
Modified: 2021-05-07 10:37 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 4: A User would return the product
User Pain: 0.069
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2021030921000766
Bug group (optional): Error handling, Security, Usability
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2021-03-14 20:23:48 CET
Password lockout in Samba/AD doesn't trigger ppolicy lockout for OpenLDAP simple bind. 

See result of Test 1 in Bug #52893 Comment 2 for details.

The S4-Connector password.py could attempt to set pwdAccountLockedTime in OpenLDAP. This will only succeed if the ppolicy overlay is loaded in OpenLDAP. Also it may require using the "relax" LDAP control because it is an operational attribute.

I think fixing this would improve consistency and security of UCS with respect to the password lockout feature.
Comment 1 Arvid Requate univentionstaff 2021-03-15 12:36:19 CET
A different approach would be to make ppolicy check the sambaAcctFlags attribute for "L".
I think that would be more efficient than calling into python-udm on each LDAP bind.