Univention Bugzilla – Bug 54507
Dovecot LDAP-authentication doesnt honor account lockout caused by ppolicy
Last modified: 2024-04-24 18:17:35 CEST
UCS 4.4-8 (e1185) mailserver app installed on DC Slave/Replica Node ppolicy activated with pwdLockout: TRUE pwdLockoutDuration: 120 pwdFailureCountInterval: 60 To ensure that Dovecots auth cache does not affect the result the following UCRV are set: mail/dovecot/auth/cache_negative_ttl: 0 mail/dovecot/auth/cache_size: 0 mail/dovecot/auth/cache_ttl: <empty> reproduction: try to authenticate against Dovecot using wrong credentials (valid user, wrong password) after 5 attempts there are 5 values for pwdFailureTime and a timestamp pwdAccountLockedTime is set During the timeframe of pwdAccountLockedTime try to authenticate with valid credentials. This will fail for LDAP-access but succeed for IMAP-logons expected result: IMAP-access with valid credentials should be blocked if pwdLockout is TRUE
Info from initial analysis: We have an OpenLDAP patch https://git.knut.univention.de/univention/ucs-patches/-/blob/main/openldap/ucs_5.0-0-errata5.0-1/2.4.47+dfsg-3+deb10u7/70_ppolicy_udm_lock.quilt?ref_type=heads That calls python univention.lib.account.lock() to lock account via UDM That should also lockout Samba and Kerberos, but In my test it only locked sambaActFlags but not krb5KDCFlags We have these tests: 10_ldap/50ppolicy_account_lockout 59_udm/61_test_udm_users_modification_set_deactivation_and_locked.py Kurzer Test: udm users/user create --set username=user1 --set lastname=name1 --set password=univention python3 -m univention.lib.account lock --dn uid=user1,dc=ucs50domain,dc=net --lock-time $(date -u +'%Y%m%d%H%M%S’Z ) Dann ist zwar “L” in sambaAcctFlags gesetzt, aber krb5KDCFlags ist weiter 126 wie bei einen un-ge-lockten user. Ursache scheint zu sein, dass hier aus unklren Gründen zwei Zeilen auskommentiert sind: https://git.knut.univention.de/univention/ucs/-/blob/5.0-7/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py?ref_type=heads#L1790 Wenn ich die wieder aktiviere und pkill -f cli-server mache, dann funktioniert der lockout. im manuellen Test (also vermutlich dann über pam_krb5 auch in den dovcot und postfix pam stacks).