Bug 54507 - Dovecot LDAP-authentication doesnt honor account lockout caused by ppolicy
Summary: Dovecot LDAP-authentication doesnt honor account lockout caused by ppolicy
Status: NEW
Alias: None
Product: UCS
Classification: Unclassified
Component: Mail - Dovecot
Version: UCS 5.0
Hardware: Other Linux
: P5 normal
Target Milestone: ---
Assignee: Mail maintainers
QA Contact: Mail maintainers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-03-04 11:14 CET by Dirk Ahrnke
Modified: 2025-06-24 11:55 CEST (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.137
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2025061821000245
Bug group (optional):
Customer ID: 44145
Max CVSS v3 score:
requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dirk Ahrnke univentionstaff 2022-03-04 11:14:38 CET 
UCS 4.4-8 (e1185)
mailserver app installed on DC Slave/Replica Node
ppolicy activated with 
pwdLockout: TRUE
pwdLockoutDuration: 120
pwdFailureCountInterval: 60

To ensure that Dovecots auth cache does not affect the result the following UCRV are set:

mail/dovecot/auth/cache_negative_ttl: 0
mail/dovecot/auth/cache_size: 0
mail/dovecot/auth/cache_ttl: <empty>

reproduction:

try to authenticate against Dovecot using wrong credentials (valid user, wrong password)
after 5 attempts there are 5 values for pwdFailureTime and a timestamp pwdAccountLockedTime is set

During the timeframe of pwdAccountLockedTime try to authenticate with valid credentials.

This will fail for LDAP-access but succeed for IMAP-logons

expected result:
IMAP-access with valid credentials should be blocked if pwdLockout is TRUE
Comment 2 Erik Damrose univentionstaff 2024-04-17 10:43:02 CEST 
Info from initial analysis:

We have an OpenLDAP patch

    https://git.knut.univention.de/univention/ucs-patches/-/blob/main/openldap/ucs_5.0-0-errata5.0-1/2.4.47+dfsg-3+deb10u7/70_ppolicy_udm_lock.quilt?ref_type=heads
    That calls python univention.lib.account.lock() to lock account via UDM
    That should also lockout Samba and Kerberos, but In my test it only locked sambaActFlags but not krb5KDCFlags

We have these tests:

    10_ldap/50ppolicy_account_lockout
    59_udm/61_test_udm_users_modification_set_deactivation_and_locked.py



Kurzer Test:

    udm users/user create --set username=user1 --set lastname=name1 --set password=univention
    python3 -m univention.lib.account lock --dn uid=user1,dc=ucs50domain,dc=net --lock-time $(date -u +'%Y%m%d%H%M%S’Z )
    Dann ist zwar “L” in sambaAcctFlags gesetzt, aber krb5KDCFlags ist weiter 126 wie bei einen un-ge-lockten user.
    Ursache scheint zu sein, dass hier aus unklren Gründen zwei Zeilen auskommentiert sind:

https://git.knut.univention.de/univention/ucs/-/blob/5.0-7/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py?ref_type=heads#L1790

Wenn ich die wieder aktiviere und pkill -f cli-server mache, dann funktioniert der lockout. im manuellen Test (also vermutlich dann über pam_krb5 auch in den dovcot und postfix pam stacks).
Comment 3 Christina Scheinig univentionstaff 2025-06-24 11:55:05 CEST 
I saw this also in an other customer environment, that krb5KDCFlags ist still 126, but the account is locked, in samba 

dn: CN=jan100,OU=users,DC=schein,DC=me
lastLogonTimestamp: 2025-06-16 05:40:04
lastLogon: 2025-06-18 09:41:39
badPwdCount: 10
badPasswordTime: 133952038978614410 # → 2025-06-24 03:58:18

and openLdap
univention-ldapsearch -LLL uid=jan100 sambaBadPasswordTime sambaAcctFlags authTimestamp krb5KDCFlags
dn: uid=jan100,ou=users,dc=schein,dc=me
sambaAcctFlags: [UL         ]
sambaBadPasswordTime: 133952038978614410
authTimestamp: 20250624044231Z
krb5KDCFlags: 126