First Last Prev Next    This bug is not in your last search results.
Bug 54507 - Dovecot LDAP-authentication doesnt honor account lockout caused by ppolicy
Dovecot LDAP-authentication doesnt honor account lockout caused by ppolicy
Status: NEW
Product: UCS
Classification: Unclassified
Component: Mail - Dovecot
UCS 5.0
Other Linux
: P5 normal (vote)
: ---
Assigned To: Mail maintainers
Mail maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-03-04 11:14 CET by Dirk Ahrnke
Modified: 2024-04-24 18:17 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.137
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:
requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dirk Ahrnke univentionstaff 2022-03-04 11:14:38 CET 
UCS 4.4-8 (e1185)
mailserver app installed on DC Slave/Replica Node
ppolicy activated with 
pwdLockout: TRUE
pwdLockoutDuration: 120
pwdFailureCountInterval: 60

To ensure that Dovecots auth cache does not affect the result the following UCRV are set:

mail/dovecot/auth/cache_negative_ttl: 0
mail/dovecot/auth/cache_size: 0
mail/dovecot/auth/cache_ttl: <empty>

reproduction:

try to authenticate against Dovecot using wrong credentials (valid user, wrong password)
after 5 attempts there are 5 values for pwdFailureTime and a timestamp pwdAccountLockedTime is set

During the timeframe of pwdAccountLockedTime try to authenticate with valid credentials.

This will fail for LDAP-access but succeed for IMAP-logons

expected result:
IMAP-access with valid credentials should be blocked if pwdLockout is TRUE
Comment 2 Erik Damrose univentionstaff 2024-04-17 10:43:02 CEST 
Info from initial analysis:

We have an OpenLDAP patch

    https://git.knut.univention.de/univention/ucs-patches/-/blob/main/openldap/ucs_5.0-0-errata5.0-1/2.4.47+dfsg-3+deb10u7/70_ppolicy_udm_lock.quilt?ref_type=heads
    That calls python univention.lib.account.lock() to lock account via UDM
    That should also lockout Samba and Kerberos, but In my test it only locked sambaActFlags but not krb5KDCFlags

We have these tests:

    10_ldap/50ppolicy_account_lockout
    59_udm/61_test_udm_users_modification_set_deactivation_and_locked.py



Kurzer Test:

    udm users/user create --set username=user1 --set lastname=name1 --set password=univention
    python3 -m univention.lib.account lock --dn uid=user1,dc=ucs50domain,dc=net --lock-time $(date -u +'%Y%m%d%H%M%S’Z )
    Dann ist zwar “L” in sambaAcctFlags gesetzt, aber krb5KDCFlags ist weiter 126 wie bei einen un-ge-lockten user.
    Ursache scheint zu sein, dass hier aus unklren Gründen zwei Zeilen auskommentiert sind:

https://git.knut.univention.de/univention/ucs/-/blob/5.0-7/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py?ref_type=heads#L1790

Wenn ich die wieder aktiviere und pkill -f cli-server mache, dann funktioniert der lockout. im manuellen Test (also vermutlich dann über pam_krb5 auch in den dovcot und postfix pam stacks).
First Last Prev Next    This bug is not in your last search results.