Re: Fwd: Openldap/authconfig authenticating multiple times

[Dave Macias <davama [at] gmail.com>]

Thank you very much for the quick reply.

I posted this on Centos bug tracker since i use nss-pam-ldapd from centos repo.

https://bugs.centos.org/view.php?id=14160

As a workaround, i increase the pwdMaxFailure: 18, which is still essentially 6 attempts 

I dont like it but ok for now.

I'll test the patch on a dev box just for fun :D

thanks!

-dave

On Tue, Nov 21, 2017 at 4:00 PM, Arthur de Jong <arthur [at] arthurdejong.org> wrote:

On Tue, 2017-11-21 at 15:33 -0500, Dave Macias wrote:
> Basic background:
> 3 openldap servers with multimaster replication and
> ppolicy pwdMaxFailure: 6.
> When i try to authenticate to the linux box nslcd authenticates to
> all 3 master servers which return 3 failures, which give you
> 3 pwdFailureTime attributes for the account. So after typing the
> password incorrectly twice, the user get's locked out.

This should be fixed in nss-pam-ldapd 0.9.8. The problem was that LDAP
failures generally would trigger a fail-over and retry to a second LDAP
server. This also happened for authentication failures.

The relevant change is here:
https://arthurdejong.org/git/nss-pam-ldapd/commit/?id=d8ad7b127363d6d73ab1de6796886fda5eb07054

I don't think I have a workaround for this (apart from applying the
patch).

Kind regards,

--
-- arthur - arthur [at] arthurdejong.org - https://arthurdejong.org/ --

--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/